Admin privileges
16 views
Skip to first unread message
Jack Martin
Dec 30, 2025, 9:19:42 AM (16 hours ago) Dec 30
to wa...@googlegroups.com
<group name="windows,admin_execution">
<!-- Admin logon -->
<rule id="600001" level="3">
<field name="win.system.eventID">4672</field>
<description>
Admin privileges assigned to $(win.eventdata.subjectUserName)
</description>
</rule>
<!-- Process executed AFTER admin privileges -->
<rule id="600002" level="12">
<if_sid>600001</if_sid>
<field name="win.system.eventID">4688</field>
<description>
ADMIN EXECUTION:
User: $(win.eventdata.subjectUserName)
Process: $(win.eventdata.newProcessName)
CommandLine: $(win.eventdata.commandLine)
</description>
<mitre>
<id>T1059</id>
</mitre>
</rule>
</group>. Please help me my rules was not run my task wasHOW WINDOWS SHOWS “RUN AS ADMIN” and when simple user have admin power show alert.
Olamilekan Abdullateef Ajani
Dec 30, 2025, 10:44:16 AM (15 hours ago) Dec 30
to Wazuh | Mailing List
Hello,
<field name="win.system.eventID">4672</field>
<description>Admin privileges assigned to $(win.eventdata.subjectUserName)</description>
</rule>
<!-- Process executed AFTER admin privileges -->
<field name="win.system.eventID">4688</field>
<mitre>
<id>T1059</id>
</mitre>
</rule>
</group>
One point to note when creating custom rules is to always use ID numbers between 100000 and 120000 for custom rules to avoid conflicts with out-of-the-box system rules. I have updated this in the rule I shared above.
The reason your rules did not work is because you are linking two different rules to the same event. To better explain this, when rule 600001 is triggered with the anchor event ID 4672, and you link rule 600002 to rule 600001, and you make the anchor event ID 4688. Every time rule 600001, which is the parent, is triggered, the event ID will always be 4672, and since you have link 600002 to it, it will never fire because the event will always be 4672, and 4688 will never match.
I see what you are trying to do in terms of correlation, but please also note that these two events are not necessarily going to be linked because event ID 4688 is process execution. But if you intend to link them, you need a third rule, and the two rules for admin logon and process execution have to be independent. Please refer to the sample below for your reference.
<group name="windows,admin_execution">
<!-- Admin logon -->
<!-- Admin logon -->
<rule id="100001" level="3">
<field name="win.system.eventID">4672</field>
<description>Admin privileges assigned to $(win.eventdata.subjectUserName)</description>
</rule>
<!-- Process executed AFTER admin privileges -->
<rule id="100002" level="12">
<field name="win.system.eventID">4688</field>
<description>ADMIN EXECUTION:User: $(win.eventdata.subjectUserName)Process: $(win.eventdata.newProcessName)CommandLine: $(win.eventdata.commandLine)</description>
<mitre>
<id>T1059</id>
</mitre>
</rule>
</group>
<group name="testing,">
<rule id="100003" level="12" timeframe="360">
<if_matched_sid>100001</if_matched_sid>
<if_sid>100002</if_sid>
<description>rule 100003 triggers after rule 100001 and 100002 triggered</description>
</rule>
</group>
<rule id="100003" level="12" timeframe="360">
<if_matched_sid>100001</if_matched_sid>
<if_sid>100002</if_sid>
<description>rule 100003 triggers after rule 100001 and 100002 triggered</description>
</rule>
</group>
Rule 100003 triggers after the execution of rules 100001 and 100002. This is to assume the admin logs in and executes a process and not vice versa.
Please let me know if you need further assistance on this.
Olamilekan Abdullateef Ajani
Dec 30, 2025, 1:20:32 PM (12 hours ago) Dec 30
to Wazuh | Mailing List
Hello Jack,
Please use the reply all when sharing feedback here so it is well organized and other community users can benefit from the conversation.
That being said, I am looking into the feedback you shared, please do not create new queries on this again.
Thank you
Olamilekan Abdullateef Ajani
Dec 30, 2025, 2:05:47 PM (11 hours ago) Dec 30
to Wazuh | Mailing List
Hello Jack,
I have evaluated your feedback, and it seems to be different from the initial query you shared. This refers to event ID 4673. If I understand you clearly, it seems you are not getting the alert on the dashboard because when I ran a test on the log you shared, it matched rule 60103 with level 0, which means the event will be ignored and would never trigger an alert, which explains why you only saw it in the archive.json file.
That being said, I created a sample rule for you to trigger an alert based on event ID 4673, please take a look below:
<group name="windows,sensitive_privilege_use,">
<rule id="143524" level="8">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4673$</field>
<description>Sensitive privilege used by NON-SYSTEM account</description>
<mitre>
<id>T1068</id>
</mitre>
</rule>
</group>
<rule id="143524" level="8">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4673$</field>
<description>Sensitive privilege used by NON-SYSTEM account</description>
<mitre>
<id>T1068</id>
</mitre>
</rule>
</group>
Please learn more about rules in the reference documentation below:
Please let me know if you require further assistance on this, and please use the reply all, and kindly explain your requirements so I understand what is needed and how best to assist you next time.
Regards,
Reply all
Reply to author
Forward
0 new messages