Detecting defense evasion techniques with Wazuh
August 26, 2025
Admin By Request (ABR) is a Privilege Access Management (PAM) tool designed for managing local administrator privileges. Granting permanent administrator rights can expose organizations to malware, privilege misuse, and compliance risks. Admin By Request addresses this by allowing users to request temporary, audited admin access when needed, eliminating the need for permanent local administrator rights. This approach enhances endpoint security and enforces the principle of least privilege.
Integrating Admin By Request with Wazuh enables security teams to centralize privilege elevation data alongside endpoint and network security alerts. This unified view enables faster detection of unauthorized admin use, repeated elevation attempts, and insider threats. Wazuh correlation and automated response features can help enforce policies and send alerts when risky privilege activities occur.
In this blog post, we show how to integrate Admin By Request with Wazuh to gain visibility into privileged access events and enhance endpoint security.
We use the following infrastructure to demonstrate integrating Admin By Request with Wazuh:
The Wazuh agent is installed on the Windows endpoint to collect and forward event logs generated by the Admin By Request agent. By default, Wazuh agents monitor the Windows Application log channel, where ABR logs events like privilege elevation requests, denials, and changes to administrator group membership. These logs are sent to the Wazuh manager for real-time analysis, correlation, and alerting.
Perform the following steps to install the ABR agent on the Windows endpoint.
Endpoint Privilege Management (EPM)
under the Primary Product Interest.Create Wazuh custom rules to detect the activities of the Admin By Request agent on the monitored Windows endpoint.
admin_by_request.xml
in the /var/ossec/etc/rules/
directory:# touch /var/ossec/etc/rules/admin_by_request_rules.xml
/var/ossec/etc/rules/admin_by_request_rule.xml
file to detect the Admin By Request agent results:<group name="adminbyrequest,"> <!-- Detects denied privilege elevation activities --> <rule id="100111" level="10"> <if_sid>60601</if_sid> <field name="win.system.providerName" type="pcre2">\bAdmin By Request\b</field> <field name="win.system.severityValue" type="pcre2">WARNING</field> <field name="win.system.message" type="pcre2">(?i).*denied.*</field> <description>ABR: $(win.system.message)</description> <mitre> <id>T1548</id> </mitre> </rule> <!-- Detects multiple denied privilege elevation activities --> <rule id="100112" level="10" frequency="5" timeframe="300" > <if_matched_sid>100111</if_matched_sid> <description>ABR: Multiple privilege elevation requests denied</description> <mitre> <id>T1548</id> </mitre> </rule> <!-- Detects privilege elevation requests --> <rule id="100113" level="2"> <if_sid>60600</if_sid> <field name="win.system.providerName" type="pcre2">\bAdmin By Request\b</field> <field name="win.system.message" type="pcre2">(?i)Received elevation approval reply</field> <description>ABR: Privilege elevation request.</description> <mitre> <id>T1548.002</id> </mitre </rule> <!-- Detects multiple privilege elevation requests --> <rule id="100114" level="8" frequency="5" timeframe="300" > <if_matched_sid>100113</if_matched_sid> <field name="win.system.message" type="pcre2">(?i)Received elevation approval reply</field> <description>ABR: Multiple privilege elevation requests in 5 minutes</description> <mitre> <id>T1548.002</id> </mitre> </rule> <!-- Detects when a user is added to the local admin group --> <rule id="100115" level="8" > <if_sid>60600</if_sid> <field name="win.system.providerName" type="pcre2">\bAdmin By Request\b</field> <field name="win.eventdata.data" type="pcre2">(?i).* added to local administrators group</field> <description>ABR: $(win.eventdata.data)</description> <mitre> <id>T1136.001</id> </mitre> </rule> <!-- Detects when a user is removed from the local admin group --> <rule id="100116" level="5" > <if_sid>60600</if_sid> <field name="win.system.providerName" type="pcre2">\bAdmin By Request\b</field> <field name="win.eventdata.data" type="pcre2">(?i).* removed from local admins group</field> <description>ABR: $(win.eventdata.data)</description> <mitre> <id>T1098</id> </mitre </rule> </group>
Where:
100111
is triggered when a privilege elevation request is denied.100112
is triggered when multiple privilege elevation requests are denied within five minutes.100113
is triggered when ABR receives a reply for a privilege elevation request.100114
is triggered when ABR receives multiple privilege elevation requests within five minutes.100115
is triggered when Admin By Request adds a user to the local administrators group by Admin By Request.100116
is triggered when a user is removed from the local administrators group by Admin By Request.# systemctl restart wazuh-manager
We run the following scenarios to test the custom rules created in the previous sections.
100111
is triggered when Wazuh detects a denied privilege elevation attempt. 100112
is triggered when multiple privilege elevation requests are denied within five minutes.100114
is triggered when Wazuh detects multiple privilege elevation requests submitted within five minutes.100115
is triggered when an administrator session is granted to a user, indicating that they have been added to the local administrators group.100116
is triggered when the session ends and the user is removed from the local administrators group.Perform the following steps to detect a denied privilege elevation request.
2. Click Save to apply the configuration.
Note
This action triggers Rule ID 100111
, which detects a denied privilege elevation attempt. If multiple denied attempts are made within a short time frame, Rule ID 100112
is also triggered.
Follow the steps below to view the alerts generated on the Wazuh dashboard.
rule.id
.is one of
.100111
and 100112
in the Values field.Perform the following steps to detect multiple privilege elevation requests.
ON
. ON
. 100114
, which detects when multiple privilege elevation requests are submitted in a short timeframe. Follow the steps below to view the alerts generated on the Wazuh dashboard.
rule.id
.is one of
.100114
in the Values field.Perform the following steps to detect a user elevation event (Admin session)
3. In the Admin By Request dashboard, navigate to Requests, then click on PENDING to view all approval requests. Select Approve to grant temporary administrative access to the user.
4. On the Windows endpoint, click Yes in the pop-up window to start the administrator session. Once done, click Finish in the Admin by Request session panel to end the session.
Follow the steps below to view the alerts generated on the Wazuh dashboard.
rule.id
.is one of
.100115
and 100116
in the Values field.Integrating Admin By Request with Wazuh enhances visibility into privileged access activities across your Windows endpoints. By correlating Admin By Request events with custom Wazuh detection rules, security teams can monitor elevation requests, detect abuse of admin privileges, and respond to unauthorized actions in real time. By combining least-privilege enforcement with centralized monitoring, organizations can reduce the attack surface and strengthen their endpoint security posture.
To learn more about Wazuh capabilities, check out our documentation, blog posts, and join our community for support and updates.