Detectionhightest

HackTool - NoFilter Execution

Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Stamatis Chatzimangou (st0pp3r)Created Fri Jan 057b14c76a-c602-4ae6-9717-eff868153fc0windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

Requirements: Audit Filtering Platform Policy Change needs to be enabled

Detection Logic

detection:
    selection_5447:
        EventID: 5447
        FilterName|contains: 'RonPolicy'
    selection_5449:
        EventID: 5449
        ProviderContextName|contains: 'RonPolicy'
    condition: 1 of selection_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0004 · Privilege Escalation

Techniques

T1134 · Access Token Manipulation

Sub-techniques

T1134.001 · Token Impersonation/Theft

Rule Metadata

Rule ID

7b14c76a-c602-4ae6-9717-eff868153fc0

Status

test

Level

high

Type

Detection

Created

Fri Jan 05

Author

Stamatis Chatzimangou (st0pp3r)

Path

rules/windows/builtin/security/win_security_hktl_nofilter.yml

Raw Tags

attack.defense-evasionattack.privilege-escalationattack.t1134attack.t1134.001

View on GitHub