Failed attempt to perform a privileged operation. Windows Agent

715 views
Skip to first unread message

Shahid inHell

unread,
Dec 12, 2022, 9:55:53 AM12/12/22
to Wazuh mailing list
 Hi There, I am continously getting this error from a specific agent and i am getting in millions in a day from one agent.

Failed attempt to perform a privileged operation. Windows Agent


data.win.eventdata.objectServer

Security


data.win.eventdata.privilegeList

SeTcbPrivilege


data.win.eventdata.processId

0x3df0


data.win.eventdata.processName

C:\\Windows\\System32\\svchost.exe


data.win.eventdata.subjectDomainName

LAPTOP-T061QVF1


data.win.eventdata.subjectLogonId

0x167390


data.win.eventdata.subjectUserName

abi


data.win.eventdata.subjectUserSid

value-0---------------------------------


data.win.system.channel

Security


data.win.system.computer

LAPT----------------------------


data.win.system.eventID

4673


data.win.system.eventRecordID

29320513


data.win.system.keywords

0x8010000000000000


data.win.system.level

0


data.win.system.message

"A privileged service was called. Subject:    Security ID:        ---------------    Account Name:       --------    Account Domain:        ---------    Logon ID:        0x167390 Service:    Server:    Security    Service Name:    - Process:    Process ID:    0x3df0    Process Name:    C:\Windows\System32\svchost.exe Service Request Information:    Privileges:        SeTcbPrivilege"


data.win.system.opcode

0


data.win.system.processID

4


data.win.system.providerGuid

------------------------------


data.win.system.providerName

Microsoft-Windows-Security-Auditing


data.win.system.severityValue

AUDIT_FAILURE


data.win.system.systemTime

2022-12-12T14:49:54.5053235Z


data.win.system.task

13056


data.win.system.threadID

34548


data.win.system.version

0



windows_eventchannel


id

1670856595.289555664


input.type

log


location

EventChannel



wazuh-server


rule.description

Failed attempt to perform a privileged operation.


rule.firedtimes

4,447


rule.gdpr

IV_32.2


rule.groups

windows, windows_security

Facundo Mayon

unread,
Dec 12, 2022, 10:30:09 AM12/12/22
to Wazuh mailing list

Hello shahidinhell, thanks for using Wazuh.
For better and more fluid communication, can I suggest you continue this conversation in our Slack community ?
I attached the link to access it, you can tag me with @Facundo and we can continue checking your problem.

I will wait for your answer.
Regards

Facundo
Reply all
Reply to author
Forward
0 new messages