Failed Windows attempts to WIN
15 views
Skip to first unread message
Massimiliano De Falco
May 7, 2026, 7:54:45 AM (3 days ago) May 7
to Wazuh | Mailing List
Good morning,
i have installed wazuh server v.4.13 and win11 clients v.4,13 with a domain controller.
I would like to know if wazuh can somehow view or alert users' failed Windows attempts or intent of privilege excalation (best if in real time).
If yes, where can I see this information, thanks.
i have installed wazuh server v.4.13 and win11 clients v.4,13 with a domain controller.
I would like to know if wazuh can somehow view or alert users' failed Windows attempts or intent of privilege excalation (best if in real time).
If yes, where can I see this information, thanks.
Oluwaseyi Soneye
May 7, 2026, 9:05:24 AM (3 days ago) May 7
to Wazuh | Mailing List
Hello,
Yes, Wazuh can alert on both.
For failed logon attempts:
Wazuh has a built-in rule ID 18106 that triggers on Windows Event ID 4625. As long as your Windows Audit Policy has Logon/Logoff auditing enabled, you'll see these alerts in real time under ☰ > Security Events (filter by rule.id:18106)
And for Privilege Escalation, it requires some additional setup for good coverage.
1. Install Sysmon on your Win11 clients and the DC. It enriches process/registry telemetry that Wazuh's built-in rules rely on. To install Sysmon, download from: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon. Then install Sysmon with this configuration file: https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml.
2. Add these to ossec.conf on each agent:
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
3. Also make sure your Windows Audit Policy covers Privilege Use and Account Management events (IDs 4673, 4674, 4720, 4732).
On the Wazuh dashboard, you can view alerts under Security events.
Check out these blog posts covering detecting privilege escalation with Wazuh:
- https://wazuh.com/blog/hunting-for-windows-credential-access-attacks/
- https://wazuh.com/blog/detecting-psexec-usage-with-wazuh/
Hope this helps!
Yes, Wazuh can alert on both.
For failed logon attempts:
Wazuh has a built-in rule ID 18106 that triggers on Windows Event ID 4625. As long as your Windows Audit Policy has Logon/Logoff auditing enabled, you'll see these alerts in real time under ☰ > Security Events (filter by rule.id:18106)
And for Privilege Escalation, it requires some additional setup for good coverage.
1. Install Sysmon on your Win11 clients and the DC. It enriches process/registry telemetry that Wazuh's built-in rules rely on. To install Sysmon, download from: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon. Then install Sysmon with this configuration file: https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml.
2. Add these to ossec.conf on each agent:
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
3. Also make sure your Windows Audit Policy covers Privilege Use and Account Management events (IDs 4673, 4674, 4720, 4732).
On the Wazuh dashboard, you can view alerts under Security events.
Check out these blog posts covering detecting privilege escalation with Wazuh:
- https://wazuh.com/blog/hunting-for-windows-credential-access-attacks/
- https://wazuh.com/blog/detecting-psexec-usage-with-wazuh/
Hope this helps!
Reply all
Reply to author
Forward
0 new messages