UAC Bypass via Windows Firewall Snap-In Hijack
Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
Sigma rule (View on GitHub)
1title: UAC Bypass via Windows Firewall Snap-In Hijack
2id: e52cb31c-10ed-4aea-bcb7-593c9f4a315b
3status: test
4description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
5references:
6 - https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack
7author: Tim Rauch, Elastic (idea)
8date: 2022-09-27
9tags:
10 - attack.defense-evasion
11 - attack.privilege-escalation
12 - attack.t1548
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith: '\mmc.exe'
19 ParentCommandLine|contains: 'WF.msc'
20 filter:
21 Image|endswith: '\WerFault.exe'
22 condition: selection and not filter
23falsepositives:
24 - Unknown
25level: medium
References
-
Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass...
Read More
Related rules
- AWS STS AssumeRole Misuse
- AWS STS GetSessionToken Misuse
- AWS Suspicious SAML Activity
- Abused Debug Privilege by Arbitrary Parent Processes
- CA Policy Removed by Non Approved Actor