← Back to SOC feed Coverage →

UAC Bypass via Windows Firewall Snap-In Hijack

sigma MEDIUM SigmaHQ
T1548
imProcessCreate
evasion
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-23T03:15:01Z · Confidence: medium

Hunt Hypothesis

Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in

Detection Rule

Sigma (Original)

title: UAC Bypass via Windows Firewall Snap-In Hijack
id: e52cb31c-10ed-4aea-bcb7-593c9f4a315b
status: test
description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
references:
    - https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\mmc.exe'
        ParentCommandLine|contains: 'WF.msc'
    filter:
        Image|endswith: '\WerFault.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where ((ParentProcessName endswith "\\mmc.exe" or ActingProcessName endswith "\\mmc.exe") and ActingProcessCommandLine contains "WF.msc") and (not(TargetProcessName endswith "\\WerFault.exe"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml