sigmamediumHunting

UAC Bypass via Windows Firewall Snap-In Hijack

Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in

MITRE ATT&CK

T1548

defense-evasionprivilege-escalation

Detection Query

selection:
  ParentImage|endswith: \mmc.exe
  ParentCommandLine|contains: WF.msc
filter:
  Image|endswith: \WerFault.exe
condition: selection and not filter

Author

Tim Rauch, Elastic (idea)

Created

2022-09-27

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack

Tags

attack.defense-evasionattack.privilege-escalationattack.t1548

Raw Content

title: UAC Bypass via Windows Firewall Snap-In Hijack
id: e52cb31c-10ed-4aea-bcb7-593c9f4a315b
status: test
description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
references:
    - https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1548
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\mmc.exe'
        ParentCommandLine|contains: 'WF.msc'
    filter:
        Image|endswith: '\WerFault.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium