Can Wazuh detect when a user uses the admin mode in his computer?
448 views
Skip to first unread message
Faten Mkacher
Oct 4, 2023, 10:47:26 AM10/4/23
to Wazuh | Mailing List
Hello,
Can Wazuh detect when a user uses the admin mode in his computer?
Thanks in advance
Julián Morales
Oct 4, 2023, 11:14:52 AM10/4/23
to Faten Mkacher, Wazuh | Mailing List
Hello,
Absolutely, Wazuh is designed to monitor and detect a wide range of activities on a system, including when a user elevates their privileges or accesses admin mode.
For Windows systems, Wazuh monitors the Event Channel. When a user logs in with elevated privileges, an event is generated in the Event Channel. Wazuh's agent captures this event and forwards it to the manager for analysis.
For Linux systems, user authentication and privilege escalation activities are typically logged in /var/log/auth.log. Wazuh's agent actively monitors this log file and captures relevant events.
Once these events are captured by the agent, they are sent to the Wazuh manager. The manager is equipped with a comprehensive set of rules and decoders. These are designed to decode and analyze the incoming events, and if a significant or suspicious activity is detected, a security alert is generated. You can then view and manage these alerts via the Wazuh web interface.
It's worth noting that while Wazuh provides default configurations that cover a wide range of use cases, you can also customize rules and configurations to better suit your specific needs.
I hope this clarifies how Wazuh can detect when a user accesses admin mode.
Best regards,
JulianAbsolutely, Wazuh is designed to monitor and detect a wide range of activities on a system, including when a user elevates their privileges or accesses admin mode.
For Windows systems, Wazuh monitors the Event Channel. When a user logs in with elevated privileges, an event is generated in the Event Channel. Wazuh's agent captures this event and forwards it to the manager for analysis.
For Linux systems, user authentication and privilege escalation activities are typically logged in /var/log/auth.log. Wazuh's agent actively monitors this log file and captures relevant events.
Once these events are captured by the agent, they are sent to the Wazuh manager. The manager is equipped with a comprehensive set of rules and decoders. These are designed to decode and analyze the incoming events, and if a significant or suspicious activity is detected, a security alert is generated. You can then view and manage these alerts via the Wazuh web interface.
It's worth noting that while Wazuh provides default configurations that cover a wide range of use cases, you can also customize rules and configurations to better suit your specific needs.
I hope this clarifies how Wazuh can detect when a user accesses admin mode.
Best regards,
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6d42ccb4-979b-49c1-bcab-23ca5ecbbfd9n%40googlegroups.com.
Salwa Putri
Jul 8, 2024, 4:00:59 AM7/8/24
to Wazuh | Mailing List
Hello, can I ask about is there any documentations or tutorial for monitor this privileged user?
Thanks in advance!
Thanks in advance!
Marietou Gueye
Jun 10, 2025, 8:30:00 AM6/10/25
to Wazuh | Mailing List
Hello everyone !
Is there any documentation about that ?
Jack Martin
Dec 31, 2025, 6:39:12 AM (2 days ago) 12/31/25
to Wazuh | Mailing List
i am also doing this was like admin normal user have admin power and normal user gain the run as amin think but my rules was not show in the alert please help me
<group name="windows,privilege_use">
<rule id="104673" level="8">
<field name="win.system.eventID">^4673$</field>
<field name="win.system.severityValue">^AUDIT_SUCCESS$</field>
<description>Successful privileged service was called (Windows Event ID 4673)</description>
</rule>
</group>
<rule id="104673" level="8">
<field name="win.system.eventID">^4673$</field>
<field name="win.system.severityValue">^AUDIT_SUCCESS$</field>
<description>Successful privileged service was called (Windows Event ID 4673)</description>
</rule>
</group>
Reply all
Reply to author
Forward
0 new messages