Opera keeps calling SeTcbPrivilege
-
A Former User last edited by
We use Security Onion in our office and we keep getting OSSEC alerts because Opera keeps trying to elevate privileges which fails which in turn triggers a security audit alert. We don't want to turn the alert off nor filter that event out.
Was wondering if anyone else has come across this
.
{"timestamp":"2019-03-06T20:05:15.116+0000","rule":{"level":10,"description":"Windows: Multiple failed attempts to perform a privileged operation by the same user.","id":"18151","frequency":6,"firedtimes":550,"mail":true,"groups":["windows"],"pci_dss":["10.2.4","10.2.5","11.4"],"gdpr":["IV_35.7.d","IV_32.2"]},"agent":{"id":"005","name":"SN-WKS-08","ip":"192.168.150.211"},
"manager":{"name":"SN-LAB-SEC01"},"id":"1551902715.1103192234","previous_output":"2019 Mar 06 13:04:55 WinEvtLog: Security: AUDIT_FAILURE(4673):
Microsoft-Windows-Security-Auditing: (no user): no domain: SN-WKS-08.ad.XXXX.ca: A privileged service was called. Subject:
Security ID: S-1-5-21-2358658803-1195769352-62849749-1226 Account Name: XXXX Account Domain: AD Logon ID: 0x281183 Service: Server: Security
Service Name: - Process:
Process ID: 0x2a6c
Process Name: C:\Users\XXXX\AppData\Local\Programs\Opera\58.0.3135.79\opera.exe
Service Request Information:
Privileges: SeTcbPrivilege\n2019 Mar 06 13:04:55
