UAC Bypass via Windows Firewall Snap-In Hijack
Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
Sigma rule (View on GitHub)
1title: UAC Bypass via Windows Firewall Snap-In Hijack
2id: e52cb31c-10ed-4aea-bcb7-593c9f4a315b
3status: test
4description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
5references:
6 - https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack
7author: Tim Rauch, Elastic (idea)
8date: 2022/09/27
9tags:
10 - attack.privilege_escalation
11 - attack.t1548
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 ParentImage|endswith: '\mmc.exe'
18 ParentCommandLine|contains: 'WF.msc'
19 filter:
20 Image|endswith: '\WerFault.exe'
21 condition: selection and not filter
22falsepositives:
23 - Unknown
24level: medium
References
-
UAC Bypass via Windows Firewall Snap-In Hijackedit Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers b...
Read More
Related rules
- Abused Debug Privilege by Arbitrary Parent Processes
- AWS STS AssumeRole Misuse
- AWS STS GetSessionToken Misuse
- AWS Suspicious SAML Activity
- COM Hijack via Sdclt