Event ID 5156 — The Windows Filtering Platform has permitted a connection.
Description
The Windows Filtering Platform has permitted a connection.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt64 | [Application Information] Process ID |
Application UnicodeString | [Application Information] Application Name |
Direction UnicodeString | [Network Information] Direction Known values
|
SourceAddress UnicodeString | [Network Information] Source Address |
SourcePort UnicodeString | [Network Information] Source Port |
DestAddress UnicodeString | [Network Information] Destination Address |
DestPort UnicodeString | [Network Information] Destination Port |
Protocol UInt32 | [Network Information] Protocol Known values
|
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
RemoteUserID SID | [Filter Information] Remote User ID |
RemoteMachineID SID | [Filter Information] Remote Machine ID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5156,
"version": 1,
"level": 0,
"task": 12810,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2019-02-13T18:01:47.512340Z",
"event_record_id": 227694,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 56
},
"channel": "Security",
"computer": "PC01.example.corp",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": 820,
"Application": "\\device\\harddiskvolume1\\windows\\system32\\svchost.exe",
"Direction": "%%14593",
"SourceAddress": "fe80::80ac:4126:fa58:1b81",
"SourcePort": "546",
"DestAddress": "ff02::1:2",
"DestPort": "547",
"Protocol": 17,
"FilterRTID": 65865,
"LayerName": "%%14611",
"LayerRTID": 50,
"RemoteUserID": "S-1-0-0",
"RemoteMachineID": "S-1-0-0"
}
}
Detection Patterns #
Asim Network Session Schema
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.ANDEvent ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.ANDEvent ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.ANDEvent ID 5156: The Windows Filtering Platform has permitted a connection.ANDEvent ID 5157: The Windows Filtering Platform has blocked a connection.ANDEvent ID 5158: The Windows Filtering Platform has permitted a bind to a local port.ANDEvent ID 5159: The Windows Filtering Platform has blocked a bind to a local port.ANDSysmon Event ID 3: Network connection
5 rules
Kusto Query Language
Command & Control: Application Layer Protocol
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.→Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.→Event ID 5156: The Windows Filtering Platform has permitted a connection.→Event ID 5157: The Windows Filtering Platform has blocked a connection.→Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.→Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.→Sysmon Event ID 3: Network connection
2 rules
Defender-DeviceNetworkEvents Event ID 9004001: Connection succeededORSecurity-Auditing Event ID 5156: The Windows Filtering Platform has permitted a connection.ORSysmon Event ID 3: Network connection
1 rule
Kusto Query Language
Collection: Data from Local System
Security-Auditing Event ID 412: AD FS authentication failure.→Event ID 501: AD FS proxy authentication request.→Event ID 5156: The Windows Filtering Platform has permitted a connection.
1 rule
Kusto Query Language
Community Notes #
Indicates what process (application path) on the local machine made an outbound connection to a specific destination IP and port. Helpful for reviewing connections made by a suspect process.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- RDP over Reverse SSH Tunnel WFP source high: Detects svchost hosting RDP termsvcs communicating with the loopback address
- Remote PowerShell Sessions Network Connections (WinRM) source high: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
- Uncommon Outbound Kerberos Connection - Security source medium: Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Kusto Query Language # view in reference
- Zinc Actor IOCs files - October 2022 source high: 'Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5156
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-5156-wfp-permitted.md