HackTool - NoFilter Execution
Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
Sigma rule (View on GitHub)
1title: HackTool - NoFilter Execution
2id: 7b14c76a-c602-4ae6-9717-eff868153fc0
3status: test
4description: |
5 Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
6references:
7 - https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp
8 - https://github.com/deepinstinct/NoFilter
9 - https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation
10 - https://x.com/_st0pp3r_/status/1742203752361128162?s=20
11author: Stamatis Chatzimangou (st0pp3r)
12date: 2024-01-05
13tags:
14 - attack.privilege-escalation
15 - attack.t1134
16 - attack.t1134.001
17logsource:
18 product: windows
19 service: security
20 definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled'
21detection:
22 selection_5447:
23 EventID: 5447
24 FilterName|contains: 'RonPolicy'
25 selection_5449:
26 EventID: 5449
27 ProviderContextName|contains: 'RonPolicy'
28 condition: 1 of selection_*
29falsepositives:
30 - Unknown
31level: high
References
Related rules
- HackTool - Koh Default Named Pipe
- HackTool - SharpDPAPI Execution
- HackTool - SharpImpersonation Execution
- Meterpreter or Cobalt Strike Getsystem Service Installation - Security
- Meterpreter or Cobalt Strike Getsystem Service Installation - System