Event ID 4663: An attempt was made to access an object (Security)
Lo que este Event ID realmente registra en disco, los campos EventData a leer primero y su lugar en un flujo de triage DFIR.
- Canal
- Security
- Proveedor
- Windows\Security
- Notas de triage
- SACL-driven object access audit. SAM hive reads, .dmp file writes, ransomware sweeps — needs SACL configured per object.