Detection rules › Sigma
HackTool - NoFilter Execution
Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1134 Access Token Manipulation, T1134.001 Access Token Manipulation: Token Impersonation/Theft |
| Defense Evasion | T1134 Access Token Manipulation, T1134.001 Access Token Manipulation: Token Impersonation/Theft |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5447 | A Windows Filtering Platform filter has been changed. |
| Security-Auditing | 5449 | A Windows Filtering Platform provider context has been changed. |
Stages and Predicates
Stage 1: 1 of selection_5447
FilterName|contains: RonPolicy
Stage 2: 1 of selection_5449
ProviderContextName|contains: RonPolicy
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
FilterName | match |
|
ProviderContextName | match |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.