HackTool - NoFilter Execution

 1title: HackTool - NoFilter Execution
 2id: 7b14c76a-c602-4ae6-9717-eff868153fc0
 3status: experimental
 4description: |
 5        Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
 6references:
 7    - https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp
 8    - https://github.com/deepinstinct/NoFilter
 9    - https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation
10    - https://x.com/_st0pp3r_/status/1742203752361128162?s=20
11author: Stamatis Chatzimangou (st0pp3r)
12date: 2024/01/05
13tags:
14    - attack.privilege_escalation
15    - attack.t1134
16    - attack.t1134.001
17logsource:
18    product: windows
19    service: security
20    definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled'
21detection:
22    selection_5447:
23        EventID: 5447
24        FilterName|contains: 'RonPolicy'
25    selection_5449:
26        EventID: 5449
27        ProviderContextName|contains: 'RonPolicy'
28    condition: 1 of selection_*
29falsepositives:
30    - Unknown
31level: high

References

• NoFilter/NoFilter/Consts.cpp at 121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d · deepinstinct/NoFilter

  

  Contribute to deepinstinct/NoFilter development by creating an account on GitHub.

  
  Read More

• GitHub - deepinstinct/NoFilter

  

  Contribute to deepinstinct/NoFilter development by creating an account on GitHub.

  
  Read More

• #NoFilter - Abusing Windows Filtering Platform for Privilege Escalation | Deep Instinct

  

  This blog is based on a session we presented at DEF CON 2023 on Sunday, August 13, 2023, in Las Vegas. Privilege escalation is a common attack vector in the Windows OS. There are multiple offensive tools in the wild that can execute code as “NT AUTHORITY\SYSTEM” (Meterpreter, CobaltStrike, Potato tools), and they all usually do so by duplicating tokens and manipulating services. This allows them to perform attacks like LSASS Shtinkering.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• HackTool - Impersonate Execution
• HackTool - SharpImpersonation Execution
• Meterpreter or Cobalt Strike Getsystem Service Installation - Security
• Meterpreter or Cobalt Strike Getsystem Service Installation - System
• Suspicious SYSTEM User Process Creation