This detection rule identifies attempts to bypass Windows User Account Control (UAC) by exploiting the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers may attempt to circumvent UAC, enabling them to execute malicious code at elevated permissions without user consent. The rule leverages Elastic Query Language (EQL) to monitor process activities associated with the MMC. It triggers when a process that is a child of 'mmc.exe' is initiated, and the arguments indicate the invocation of the Windows Firewall snap-in ('WF.msc'). Furthermore, the rule includes guidance on how to investigate potential UAC bypass incidents, including examining process execution chains, network activities, and any changes made to the system. Analysts are advised to follow the incident response protocols in case of confirmed detections, including isolating affected hosts, blocking identified threats, and resetting compromised credentials.