Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1134-access-token-manipulation

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects execution of the NoFilter tool used for access token manipulation and privilege escalation.

Strategy

This rule monitors Windows filtering platform events, where @evt.id is 5447 for filter deletion or @evt.id is 5449 for provider context deletion when the filter name or provider context name contains RonPolicy. NoFilter is a security research tool that manipulates Windows Filtering Platform (WFP) to disable security filters and bypass access controls. The tool creates distinctive WFP artifacts with RonPolicy naming conventions that can be reliably detected. Attackers use NoFilter to disable endpoint protection, bypass application controls, and manipulate access tokens for defense evasion and privilege escalation.

Triage and response

• Examine the process that created or modified the WFP filter with the RonPolicy identifier on {{host}} to determine the source of the NoFilter execution.
• Check for signs of security software being disabled or bypassed following the NoFilter tool execution.
• Review system access controls and verify if any security policies or filters have been improperly modified or removed.
• Analyze the user context and privileges under which the NoFilter tool was executed to understand the scope of potential access token manipulation.
• Investigate any suspicious process execution or privilege escalation activities that may have occurred after the filtering platform modifications.