Windows Event ID 4670 – Security: Object Permissions Changed

Start by examining the specific Event ID 4670 entries to understand what permissions were changed and by whom.

1. Open Event Viewer → Windows Logs → Security
2. Filter for Event ID 4670 using the filter option
3. Double-click on recent 4670 events to view detailed information
4. Review the following key fields:
   • Subject: Account that made the change
   • Object: Target file, folder, or registry key
   • Process Information: Application that initiated the change
   • Access Request Information: Specific permissions modified
5. Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4670} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap

Look for patterns in timing, user accounts, or target objects that might indicate unauthorized changes.

Use PowerShell to extract and analyze the permission change details from Event ID 4670 logs.

1. Create a PowerShell script to parse Event ID 4670 details:

# Get detailed 4670 events from the last 24 hours
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4670; StartTime=(Get-Date).AddDays(-1)}

foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $EventData = $XML.Event.EventData.Data
    
    Write-Host "Time: $($Event.TimeCreated)"
    Write-Host "Subject: $($EventData | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text')"
    Write-Host "Object: $($EventData | Where-Object {$_.Name -eq 'ObjectName'} | Select-Object -ExpandProperty '#text')"
    Write-Host "Process: $($EventData | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text')"
    Write-Host "---"
}

2. Export results to CSV for further analysis:

$Results = @()
foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $EventData = $XML.Event.EventData.Data
    
    $Results += [PSCustomObject]@{
        TimeCreated = $Event.TimeCreated
        SubjectUser = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        ObjectName = ($EventData | Where-Object {$_.Name -eq 'ObjectName'}).'#text'
        ProcessName = ($EventData | Where-Object {$_.Name -eq 'ProcessName'}).'#text'
    }
}
$Results | Export-Csv -Path "C:\Temp\Event4670_Analysis.csv" -NoTypeInformation

This method helps identify bulk permission changes or suspicious patterns across multiple objects.

Ensure proper audit policy configuration to capture all relevant permission change events.

1. Open Group Policy Management Console or run gpedit.msc for local policy
2. Navigate to Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration
3. Expand Object Access and configure these policies:
   • Audit File System: Enable Success and Failure
   • Audit Registry: Enable Success and Failure
   • Audit Handle Manipulation: Enable Success
4. Apply the policy and force an update:

gpupdate /force

5. Verify audit settings using auditpol:

auditpol /get /category:"Object Access"

6. For specific objects, configure SACL auditing:

# Example: Enable auditing on a specific folder
$Path = "C:\ImportantData"
$ACL = Get-Acl $Path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone", "ChangePermissions", "ContainerInherit,ObjectInherit", "None", "Success,Failure")
$ACL.SetAuditRule($AccessRule)
Set-Acl $Path $ACL

Set up Windows Event Forwarding to centrally monitor Event ID 4670 across your environment.

1. Configure the collector server by enabling the Windows Event Collector service:

Start-Service Wecsvc
Set-Service Wecsvc -StartupType Automatic

2. Create a custom subscription XML file for Event ID 4670:

<?xml version="1.0" encoding="UTF-8"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>PermissionChanges</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Monitor permission changes via Event ID 4670</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <ConfigurationMode>Custom</ConfigurationMode>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[EventID=4670]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>

3. Create the subscription using wecutil:

wecutil cs C:\Path\To\PermissionChanges.xml

4. Configure source computers to forward events:

# Run on source computers
winrm quickconfig
wecutil qc

5. Monitor the forwarded events log:

Get-WinEvent -LogName "ForwardedEvents" | Where-Object {$_.Id -eq 4670} | Select-Object TimeCreated, MachineName, Message

This centralized approach enables enterprise-wide monitoring of permission changes and supports automated alerting workflows.

Perform deep forensic analysis by correlating Event ID 4670 with related security events and system activities.

1. Create a comprehensive correlation query to identify suspicious permission change patterns:

# Advanced correlation script for permission change analysis
$StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date

# Get all permission changes (4670) and related events
$PermissionChanges = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4670; StartTime=$StartTime; EndTime=$EndTime}
$ObjectAccess = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663; StartTime=$StartTime; EndTime=$EndTime}
$LogonEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625; StartTime=$StartTime; EndTime=$EndTime}

# Analyze permission changes by user
$UserActivity = @{}
foreach ($Event in $PermissionChanges) {
    $XML = [xml]$Event.ToXml()
    $User = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
    $Object = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'ObjectName'}).'#text'
    
    if (-not $UserActivity[$User]) {
        $UserActivity[$User] = @()
    }
    $UserActivity[$User] += @{
        Time = $Event.TimeCreated
        Object = $Object
        EventId = $Event.Id
    }
}

# Identify users with excessive permission changes
$SuspiciousUsers = $UserActivity.GetEnumerator() | Where-Object {$_.Value.Count -gt 10} | Sort-Object {$_.Value.Count} -Descending
Write-Host "Users with high permission change activity:"
$SuspiciousUsers | ForEach-Object { Write-Host "$($_.Key): $($_.Value.Count) changes" }

2. Check for permission changes followed by immediate object access:

# Correlate permission changes with subsequent access attempts
foreach ($PermChange in $PermissionChanges) {
    $ChangeTime = $PermChange.TimeCreated
    $XML = [xml]$PermChange.ToXml()
    $ObjectName = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'ObjectName'}).'#text'
    
    # Look for access attempts within 5 minutes after permission change
    $RelatedAccess = $ObjectAccess | Where-Object {
        $_.TimeCreated -gt $ChangeTime -and 
        $_.TimeCreated -lt $ChangeTime.AddMinutes(5) -and
        $_.Message -like "*$ObjectName*"
    }
    
    if ($RelatedAccess) {
        Write-Host "Potential privilege escalation detected:"
        Write-Host "Permission changed: $ChangeTime on $ObjectName"
        Write-Host "Followed by access attempts: $($RelatedAccess.Count)"
    }
}

3. Generate a comprehensive security report:

# Create detailed forensic report
$Report = @"
SECURITY ANALYSIS REPORT - EVENT ID 4670
Generated: $(Get-Date)

SUMMARY:
Total Permission Changes: $($PermissionChanges.Count)
Unique Users Involved: $($UserActivity.Keys.Count)
Time Range: $StartTime to $EndTime

TOP ACTIVE USERS:
$($SuspiciousUsers | ForEach-Object { "$($_.Key): $($_.Value.Count) changes" } | Out-String)

RECOMMENDATIONS:
1. Review accounts with high activity levels
2. Validate business justification for bulk changes
3. Implement additional monitoring for flagged users
4. Consider implementing approval workflows for sensitive objects
"@

$Report | Out-File -FilePath "C:\Temp\Security_Analysis_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt"