--- title: Windows NoFilter tool execution description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Datadog Security > OOTB Rules > Windows NoFilter tool execution --- # Windows NoFilter tool execution {% alert level="danger" %} This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/). {% /alert %} Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1134-access-token-manipulation](https://attack.mitre.org/techniques/T1134) ## Goal{% #goal %} Detects execution of the NoFilter tool used for access token manipulation and privilege escalation. ## Strategy{% #strategy %} This rule monitors Windows filtering platform events, where `@evt.id` is `5447` for filter deletion or `@evt.id` is `5449` for provider context deletion when the filter name or provider context name contains `RonPolicy`. NoFilter is a security research tool that manipulates Windows Filtering Platform (WFP) to disable security filters and bypass access controls. The tool creates distinctive WFP artifacts with `RonPolicy` naming conventions that can be reliably detected. Attackers use NoFilter to disable endpoint protection, bypass application controls, and manipulate access tokens for defense evasion and privilege escalation. ## Triage and response{% #triage-and-response %} - Examine the process that created or modified the WFP filter with the `RonPolicy` identifier on `{{host}}` to determine the source of the NoFilter execution. - Check for signs of security software being disabled or bypassed following the NoFilter tool execution. - Review system access controls and verify if any security policies or filters have been improperly modified or removed. - Analyze the user context and privileges under which the NoFilter tool was executed to understand the scope of potential access token manipulation. - Investigate any suspicious process execution or privilege escalation activities that may have occurred after the filtering platform modifications.