Integrating Admin By Request (ABR) with Wazuh

Admin By Request (ABR) is a Privilege Access Management (PAM) tool designed for managing local administrator privileges. Granting permanent administrator rights can expose organizations to malware, privilege misuse, and compliance risks. Admin By Request addresses this by allowing users to request temporary, audited admin access when needed, eliminating the need for permanent local administrator rights. This approach enhances endpoint security and enforces the principle of least privilege. 

Integrating Admin By Request with Wazuh enables security teams to centralize privilege elevation data alongside endpoint and network security alerts. This unified view enables faster detection of unauthorized admin use, repeated elevation attempts, and insider threats. Wazuh correlation and automated response features can help enforce policies and send alerts when risky privilege activities occur.

In this blog post, we show how to integrate Admin By Request with Wazuh to gain visibility into privileged access events and enhance endpoint security.

Infrastructure

We use the following infrastructure to demonstrate integrating Admin By Request with Wazuh:

• A pre-built, ready-to-use Wazuh OVA 4.12.0, which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
• A Windows 11 endpoint with the Wazuh agent 4.12.0 installed and enrolled to the Wazuh server. We will also install the Admin By Request agent on the Windows endpoint.

Configuration

Windows endpoint

The Wazuh agent is installed on the Windows endpoint to collect and forward event logs generated by the Admin By Request agent. By default, Wazuh agents monitor the Windows Application log channel, where ABR logs events like privilege elevation requests, denials, and changes to administrator group membership. These logs are sent to the Wazuh manager for real-time analysis, correlation, and alerting.

Perform the following steps to install the ABR agent on the Windows endpoint.

1. Sign up for an Admin By Request account. 

• Select Endpoint Privilege Management (EPM) under the Primary Product Interest.

2. Log in to your Admin By Request dashboard and click on Download, to download the agent for Windows endpoints.

3. Run the downloaded file to install the Admin By Request agent on your Windows endpoint.
4. Restart the Windows endpoint to turn on User Account Control (UAC).

Wazuh server

Create Wazuh custom rules to detect the activities of the Admin By Request agent on the monitored Windows endpoint.

1. Create a file admin_by_request.xml in the /var/ossec/etc/rules/ directory:

# touch /var/ossec/etc/rules/admin_by_request_rules.xml

2. Add the following Wazuh custom rules to the /var/ossec/etc/rules/admin_by_request_rule.xml file to detect the Admin By Request agent results:

<group name="adminbyrequest,">
<!-- Detects denied privilege elevation activities --> 
  <rule id="100111" level="10">
    <if_sid>60601</if_sid>
    <field name="win.system.providerName" type="pcre2">\bAdmin By Request\b</field>
    <field name="win.system.severityValue" type="pcre2">WARNING</field>
    <field name="win.system.message" type="pcre2">(?i).*denied.*</field>
    <description>ABR: $(win.system.message)</description>
    <mitre>
      <id>T1548</id>
    </mitre>
  </rule>

<!-- Detects multiple denied privilege elevation activities -->
  <rule id="100112" level="10" frequency="5" timeframe="300" >
    <if_matched_sid>100111</if_matched_sid>
    <description>ABR: Multiple privilege elevation requests denied</description>
    <mitre>
      <id>T1548</id>
    </mitre>
  </rule>

<!-- Detects privilege elevation requests -->
  <rule id="100113" level="2">
    <if_sid>60600</if_sid>
    <field name="win.system.providerName" type="pcre2">\bAdmin By Request\b</field>
    <field name="win.system.message" type="pcre2">(?i)Received elevation approval reply</field>
    <description>ABR: Privilege elevation request.</description>
    <mitre>
      <id>T1548.002</id>
    </mitre
  </rule>

<!-- Detects multiple privilege elevation requests -->
  <rule id="100114" level="8" frequency="5" timeframe="300" >
    <if_matched_sid>100113</if_matched_sid>
    <field name="win.system.message" type="pcre2">(?i)Received elevation approval reply</field>
    <description>ABR: Multiple privilege elevation requests in 5 minutes</description>
    <mitre>
      <id>T1548.002</id>
    </mitre>
  </rule>

<!-- Detects when a user is added to the local admin group -->
  <rule id="100115" level="8" >
    <if_sid>60600</if_sid>
    <field name="win.system.providerName" type="pcre2">\bAdmin By Request\b</field>
    <field name="win.eventdata.data" type="pcre2">(?i).* added to local administrators group</field>
    <description>ABR: $(win.eventdata.data)</description>
    <mitre>
      <id>T1136.001</id>
    </mitre>
  </rule>

<!-- Detects when a user is removed from the local admin group -->
  <rule id="100116" level="5" >
    <if_sid>60600</if_sid>
    <field name="win.system.providerName" type="pcre2">\bAdmin By Request\b</field>
    <field name="win.eventdata.data" type="pcre2">(?i).* removed from local admins group</field>
    <description>ABR: $(win.eventdata.data)</description>
    <mitre>
      <id>T1098</id>
    </mitre
  </rule>
</group>

Where:

• Rule ID 100111 is triggered when a privilege elevation request is denied.
• Rule ID 100112 is triggered when multiple privilege elevation requests are denied within five minutes.
• Rule ID 100113 is triggered when ABR receives a reply for a privilege elevation request.
• Rule ID 100114 is triggered when ABR receives multiple privilege elevation requests within five minutes.
• Rule ID 100115 is triggered when Admin By Request adds a user to the local administrators group by Admin By Request.
• Rule ID 100116 is triggered when a user is removed from the local administrators group by Admin By Request.

3. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Test cases

We run the following scenarios to test the custom rules created in the previous sections.

1. Detecting a denied privilege elevation request: The Admin By Request agent is configured to automatically deny all “Run as Admin” requests on the monitored Windows endpoint. In this scenario, 

• Rule ID 100111 is triggered when Wazuh detects a denied privilege elevation attempt. 
• Rule ID 100112 is triggered when multiple privilege elevation requests are denied within five minutes.

2. Detecting multiple privilege elevation requests: The Admin By Request agent is configured to allow users on the Windows endpoint to submit privilege elevation requests for administrator approval. In this scenario, rule ID 100114 is triggered when Wazuh detects multiple privilege elevation requests submitted within five minutes.
3. Detecting a user elevation (Admin session): The Admin By Request agent is configured to allow users on the Windows endpoint to request an administrator session for a limited period. When the request is approved, the user is temporarily added to the local administrators group, granting administrative rights for the configured duration.

• Rule ID 100115 is triggered when an administrator session is granted to a user, indicating that they have been added to the local administrators group.
• Rule ID 100116 is triggered when the session ends and the user is removed from the local administrators group.

Detecting a denied privilege elevation request

Perform the following steps to detect a denied privilege elevation request.

Admin By Request Dashboard

1. Log in to the Admin By Request dashboard, navigate to Settings > Windows Settings > Authorization, and set the following fields to disable “Run as Admin”:

•  Allow Run As Admin to OFF.
•  Block Run As Admin to ON.  

2. Click Save to apply the configuration.

Windows endpoint

1. Restart the Windows endpoint to apply updated settings.
2. Right-click on any application and select Run as administrator. 

Visualize results

Follow the steps below to view the alerts generated on the Wazuh dashboard.

1. Navigate to Threat intelligence > Threat Hunting.
2. Click + Add filter. Then filter by rule.id.
3. In the Operator field, select is one of.
4. Search and select 100111 and 100112 in the Values field.
5. Click Save.

Detecting multiple privilege elevation requests

Perform the following steps to detect multiple privilege elevation requests.

Admin By Request Dashboard

1. Log in to the Admin By Request dashboard, navigate to Settings > Windows Settings > Authorization, and set the following fields to enable “Run as Admin” with Approval. 

• Allow Run As Admin to ON. 
• Require Approval to ON.  

2. Click Save to apply the configuration. 

Windows endpoint

1. Restart the Windows endpoint to apply updated settings immediately.
2. Right-click on any application and select Run as administrator. A prompt will appear to request approval to run the application with elevated privileges. Fill in the requested information and click OK.
3. On the Admin By Request dashboard, navigate to Requests. Click on PENDING to view approval requests. Select either Accept or Deny.
4. Repeat steps 2 and 3 five times within five minutes. This will trigger rule ID 100114, which detects when multiple privilege elevation requests are submitted in a short timeframe. 

Visualize results

Follow the steps below to view the alerts generated on the Wazuh dashboard.

1. Navigate to Threat intelligence > Threat Hunting.
2. Click + Add filter. Then filter by rule.id.
3. In the Operator field, select is one of.
4. Search and select 100114 in the Values field.
5. Click Save.

Detecting user elevation (Admin session)

Perform the following steps to detect a user elevation event (Admin session) 

Admin By Request Dashboard

1. Log in to the Admin By Request dashboard, navigate to Settings > Windows Settings > Authorization, and set the following fields to enable “Admin Session”. 

• Allow Admin Session to ON. 
• Require Approval to ON. 

2. Click Save to apply the configuration. 

Windows endpoint

1. Restart the Windows endpoint to apply updated settings immediately.
2. Click the system tray icon in the taskbar. Right-click the Admin By Request icon and select Request administrative access. Fill in the required information in the prompt and click OK.

3. In the Admin By Request dashboard, navigate to Requests, then click on PENDING to view all approval requests. Select Approve to grant temporary administrative access to the user.

4. On the Windows endpoint, click Yes in the pop-up window to start the administrator session. Once done, click Finish in the Admin by Request session panel to end the session.

Visualize results

Follow the steps below to view the alerts generated on the Wazuh dashboard.

1. Navigate to Threat intelligence > Threat Hunting.
2. Click + Add filter. Then filter by rule.id.
3. In the Operator field, select is one of.
4. Search and select 100115 and 100116 in the Values field.
5. Click Save.

Conclusion

Integrating Admin By Request with Wazuh enhances visibility into privileged access activities across your Windows endpoints. By correlating Admin By Request events with custom Wazuh detection rules, security teams can monitor elevation requests, detect abuse of admin privileges, and respond to unauthorized actions in real time. By combining least-privilege enforcement with centralized monitoring, organizations can reduce the attack surface and strengthen their endpoint security posture.

To learn more about Wazuh capabilities, check out our documentation, blog posts, and join our community for support and updates.