Failed attempt to perform a privileged operation.
844 views
Skip to first unread message
Abdulaziz Aljaberi
Oct 22, 2023, 8:39:07 AM10/22/23
to Wazuh | Mailing List
Hi everyone,
I am continously getting this error from agents and i am getting in millions in a day from one agent only, and other agents are the same
"Failed attempt to perform a privileged
operation." Windows Agentdata.win.eventdata.objectServer
Securitydata.win.eventdata.privilegeList
SeProfileSingleProcessPrivilegedata.win.eventdata.processId
0x3a64
Securitydata.win.eventdata.privilegeList
SeProfileSingleProcessPrivilegedata.win.eventdata.processId
0x3a64
data.win.eventdata.processName
C:\\Users\\M\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exedata.win.eventdata.subjectDomainName
CORPdata.win.eventdata.subjectLogonId
0x11ecd4data.win.eventdata.subjectUserName
XXXXdata.win.eventdata.subjectUserSid
S-1-5-21-2379723809-854683683-3710391016-1556data.win.system.channel
Security
C:\\Users\\M\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exedata.win.eventdata.subjectDomainName
CORPdata.win.eventdata.subjectLogonId
0x11ecd4data.win.eventdata.subjectUserName
XXXXdata.win.eventdata.subjectUserSid
S-1-5-21-2379723809-854683683-3710391016-1556data.win.system.channel
Security
attached are screenshots from on the events
can you please us solve this issue?
Abdulaziz Aljaberi
Oct 24, 2023, 5:03:15 AM10/24/23
to Wazuh | Mailing List
Can you please help us regrading the issue shared earlier?
Abdullah Al Rafi Fahim
Oct 24, 2023, 11:23:28 PM10/24/23
to Wazuh | Mailing List
Hello Abdulaziz,
Sorry for the late response!
I have reviewed the event details and screenshots you provided. This is getting triggered by one particular Windows Security event whose event ID is 4673. This security event reports an incident of calling a privileged service in your Windows endpoint and the severity value (AUDIT_FAILURE) reflects that the attempts are getting failed. As per the event details the process / executable that attempted to call the privileged service is teams.exe and here I am sharing some related documentation and discussions from Microsoft end for your reference:
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
- https://learn.microsoft.com/en-us/answers/questions/1144610/event-id-4673-for-teams-exe-and-msedge-exe
Therefore, our suggestion would be to check this further at your Windows endpoint to identify why this event is being generated there and try to mitigate this issue with Teams accordingly. However, if you found this to be a non-critical event and want to avoid these alerts in Wazuh end, we can help you with that. If you need that, please let us know.
Reply all
Reply to author
Forward
0 new messages