HackTool - NoFilter Execution

 1title: HackTool - NoFilter Execution
 2id: 7b14c76a-c602-4ae6-9717-eff868153fc0
 3status: test
 4description: |
 5        Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
 6references:
 7    - https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp
 8    - https://github.com/deepinstinct/NoFilter
 9    - https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation
10    - https://x.com/_st0pp3r_/status/1742203752361128162?s=20
11author: Stamatis Chatzimangou (st0pp3r)
12date: 2024-01-05
13tags:
14    - attack.defense-evasion
15    - attack.privilege-escalation
16    - attack.t1134
17    - attack.t1134.001
18logsource:
19    product: windows
20    service: security
21    definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled'
22detection:
23    selection_5447:
24        EventID: 5447
25        FilterName|contains: 'RonPolicy'
26    selection_5449:
27        EventID: 5449
28        ProviderContextName|contains: 'RonPolicy'
29    condition: 1 of selection_*
30falsepositives:
31    - Unknown
32level: high

References

• NoFilter/NoFilter/Consts.cpp at 121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d · deepinstinct/NoFilter

  

  Contribute to deepinstinct/NoFilter development by creating an account on GitHub.

  
  Read More

• GitHub - deepinstinct/NoFilter

  

  Contribute to deepinstinct/NoFilter development by creating an account on GitHub.

  
  Read More

• #NoFilter - Abusing Windows Filtering Platform for Privilege Escalation | Deep Instinct

  

  This blog is based on a session we presented at DEF CON 2023 on Sunday, August 13, 2023, in Las Vegas. Privilege escalation is a common attack vector in the Windows OS. There are multiple offensive tools in the wild that can execute code as “NT AUTHORITY\SYSTEM” (Meterpreter, CobaltStrike, Potato tools), and they all usually do so by duplicating tokens and manipulating services. This allows them to perform attacks like LSASS Shtinkering.

  
  Read More

• 

  Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.

  
  Read More

Related rules

• HackTool - Koh Default Named Pipe
• Meterpreter or Cobalt Strike Getsystem Service Installation - Security
• Meterpreter or Cobalt Strike Getsystem Service Installation - System
• Potential Meterpreter/CobaltStrike Activity
• HackTool - SharpDPAPI Execution