Event ID 5158 — The Windows Filtering Platform has permitted a bind to a local port.
Description
The Windows Filtering Platform has permitted a bind to a local port.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt64 | [Application Information] Process ID |
Application UnicodeString | [Application Information] Application Name |
SourceAddress UnicodeString | [Network Information] Source Address |
SourcePort UnicodeString | [Network Information] Source Port |
Protocol UInt32 | [Network Information] Protocol Known values
|
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5158,
"version": 0,
"level": 0,
"task": 12810,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2019-02-13T18:04:01.722250Z",
"event_record_id": 227731,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 56
},
"channel": "Security",
"computer": "PC01.example.corp",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": 1280,
"Application": "\\device\\harddiskvolume1\\windows\\system32\\svchost.exe",
"SourceAddress": "0.0.0.0",
"SourcePort": "55355",
"Protocol": 17,
"FilterRTID": 0,
"LayerName": "%%14608",
"LayerRTID": 36
}
}
Detection Patterns #
Asim Network Session Schema
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.ANDEvent ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.ANDEvent ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.ANDEvent ID 5156: The Windows Filtering Platform has permitted a connection.ANDEvent ID 5157: The Windows Filtering Platform has blocked a connection.ANDEvent ID 5158: The Windows Filtering Platform has permitted a bind to a local port.ANDEvent ID 5159: The Windows Filtering Platform has blocked a bind to a local port.ANDSysmon Event ID 3: Network connection
5 rules
Kusto Query Language
Command & Control: Application Layer Protocol
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.→Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.→Event ID 5156: The Windows Filtering Platform has permitted a connection.→Event ID 5157: The Windows Filtering Platform has blocked a connection.→Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.→Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.→Sysmon Event ID 3: Network connection
2 rules
Community Notes #
Unexpected binds on high ports may be a prelude to data exfiltration.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx