Event ID 5159 — The Windows Filtering Platform has blocked a bind to a local port.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Filtering Platform Connection
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

The Windows Filtering Platform has blocked a bind to a local port.

Message #

The Windows Filtering Platform has blocked a bind to a local port.

Application Information:
	Process ID: %1
	Application Name: %2

Network Information:
	Source Address: %3
	Source Port: %4
	Protocol: %5

Filter Information:
	Filter Run-Time ID: %6
	Layer Name: %7
	Layer Run-Time ID: %8

Fields #

Name	Description
`ProcessId` UInt64	[Application Information] Process ID
`Application` UnicodeString	[Application Information] Application Name
`SourceAddress` UnicodeString	[Network Information] Source Address
`SourcePort` UnicodeString	[Network Information] Source Port
`Protocol` UInt32	[Network Information] Protocol Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`FilterRTID` UInt64	[Filter Information] Filter Run-Time ID
`LayerName` UnicodeString	[Filter Information] Layer Name Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown
`LayerRTID` UInt64	[Filter Information] Layer Run-Time ID

Detection Patterns #

Asim Network Session Schema

Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.ANDEvent ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.ANDEvent ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.ANDEvent ID 5156: The Windows Filtering Platform has permitted a connection.ANDEvent ID 5157: The Windows Filtering Platform has blocked a connection.ANDEvent ID 5158: The Windows Filtering Platform has permitted a bind to a local port.ANDEvent ID 5159: The Windows Filtering Platform has blocked a bind to a local port.ANDSysmon Event ID 3: Network connection

5 rules

Kusto Query Language

Remote Desktop Network Brute force (ASIM Network Session schema) (source)

Network Port Sweep from External Network (ASIM Network Session schema) (source)

Port scan detected (ASIM Network Session schema) (source)

Show 2 more (5 total)

Google Threat Intelligence - Threat Hunting IP (source)

Potential beaconing activity (ASIM Network Session schema) (source)

Command & Control: Application Layer Protocol

Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.→Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.→Event ID 5156: The Windows Filtering Platform has permitted a connection.→Event ID 5157: The Windows Filtering Platform has blocked a connection.→Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.→Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.→Sysmon Event ID 3: Network connection

2 rules

Kusto Query Language

Google Threat Intelligence - Threat Hunting IP (source)

Potential beaconing activity (ASIM Network Session schema) (source)

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection