HackTool - NoFilter Execution

Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators

Sigma rule (View on GitHub)

 1title: HackTool - NoFilter Execution
 2id: 7b14c76a-c602-4ae6-9717-eff868153fc0
 3status: test
 4description: |
 5        Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
 6references:
 7    - https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp
 8    - https://github.com/deepinstinct/NoFilter
 9    - https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation
10    - https://x.com/_st0pp3r_/status/1742203752361128162?s=20
11author: Stamatis Chatzimangou (st0pp3r)
12date: 2024-01-05
13tags:
14    - attack.privilege-escalation
15    - attack.t1134
16    - attack.t1134.001
17logsource:
18    product: windows
19    service: security
20    definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled'
21detection:
22    selection_5447:
23        EventID: 5447
24        FilterName|contains: 'RonPolicy'
25    selection_5449:
26        EventID: 5449
27        ProviderContextName|contains: 'RonPolicy'
28    condition: 1 of selection_*
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top