detection.wiki

Microsoft-Windows-Security-Auditing › Event 5447

Event ID 5447 — A Windows Filtering Platform filter has been changed.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Policy Change → Other Policy Change Events
Collection Priority
Low (Microsoft-AppendixL)
Opcode
Info

Description

A Windows Filtering Platform filter has been changed.

Message #

A Windows Filtering Platform filter has been changed.
	
Subject:
	Security ID: %2
	Account Name: %3

Process Information:
	Process ID: %1

Provider Information:
	ID: %4
	Name: %5

Change Information:
	Change Type: %6

Filter Information:
	ID: %7
	Name: %8
	Type: %9
	Run-Time ID: %10

Layer Information:
	ID: %11
	Name: %12
	Run-Time ID: %13

Callout Information:
	ID: %17
	Name: %18

Additional Information:
	Weight: %14	
	Conditions: %15
	Filter Action: %16

Fields #

NameDescription
ProcessId UInt32[Process Information] Process ID
UserSid SID[Subject] Security ID
UserName UnicodeString[Subject] Account Name
ProviderKey GUID[Provider Information] ID
ProviderName UnicodeString[Provider Information] Name
ChangeType UnicodeString[Change Information] Change Type
FilterKey GUID[Filter Information] ID
FilterName UnicodeString[Filter Information] Name
FilterType UnicodeString[Filter Information] Type
FilterId UInt64[Filter Information] Run-Time ID
LayerKey GUID[Layer Information] ID
LayerName UnicodeString[Layer Information] Name
Known values
%%14596
IP Packet
%%14597
Transport
%%14598
Forward
%%14599
Stream
%%14600
Datagram Data
%%14601
ICMP Error
%%14602
MAC 802.3
%%14603
MAC Native
%%14604
vSwitch
%%14608
Resource Assignment
%%14609
Listen
%%14610
Receive/Accept
%%14611
Connect
%%14612
Flow Established
%%14614
Resource Release
%%14615
Endpoint Closure
%%14616
Connect Redirect
%%14617
Bind Redirect
%%14624
Stream Packet
%%14625
Accept Redirect
%%14626
Accept Redirect
%%14640
ICMP Echo-Request
%%14641
vSwitch Ingress
%%14642
vSwitch Egress
%%14643
Unknown
LayerId UInt32[Layer Information] Run-Time ID
Weight UInt64[Additional Information] Weight
Conditions UnicodeString[Additional Information] Conditions
Action UnicodeString[Additional Information] Filter Action
CalloutKey GUID[Callout Information] ID
CalloutName UnicodeString[Callout Information] Name

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5447,
    "version": 0,
    "level": 0,
    "task": 13573,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T01:44:15.910142+00:00",
    "event_record_id": 289924,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 12032
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProcessId": 2896,
    "UserSid": "S-1-5-19",
    "UserName": "NT AUTHORITY\\LOCAL SERVICE",
    "ProviderKey": "DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62",
    "ProviderName": "Microsoft Corporation",
    "ChangeType": "%%16384",
    "FilterKey": "E170DBAA-294E-40F7-A2BE-E0DEE7DF9E43",
    "FilterName": "Microsoft Teams",
    "FilterType": "%%16388",
    "FilterId": 78819,
    "LayerKey": "A3B42C97-9F04-4672-B87E-CEE9C483257F",
    "LayerName": "ALE Receive/Accept v6 Layer",
    "LayerId": 46,
    "Weight": 10376504785133109248,
    "Conditions": "\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \\.d.e.v.i.c.e.\\.\n    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.\n    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 34 00 5c 00  v.o.l.u.m.e.4.\\.\n    00000030  70 00 72 00 6f 00 67 00-72 00 61 00 6d 00 20 00  p.r.o.g.r.a.m. .\n    00000040  66 00 69 00 6c 00 65 00-73 00 5c 00 77 00 69 00  f.i.l.e.s.\\.w.i.\n    00000050  6e 00 64 00 6f 00 77 00-73 00 61 00 70 00 70 00  n.d.o.w.s.a.p.p.\n    00000060  73 00 5c 00 6d 00 69 00-63 00 72 00 6f 00 73 00  s.\\.m.i.c.r.o.s.\n    00000070  6f 00 66 00 74 00 74 00-65 00 61 00 6d 00 73 00  o.f.t.t.e.a.m.s.\n    00000080  5f 00 32 00 33 00 32 00-37 00 35 00 2e 00 37 00  _.2.3.2.7.5...7.\n    00000090  30 00 32 00 2e 00 32 00-34 00 32 00 31 00 2e 00  0.2...2.4.2.1...\n    000000a0  32 00 34 00 30 00 36 00-5f 00 78 00 36 00 34 00  2.4.0.6._.x.6.4.\n    000000b0  5f 00 5f 00 38 00 77 00-65 00 6b 00 79 00 62 00  _._.8.w.e.k.y.b.\n    000000c0  33 00 64 00 38 00 62 00-62 00 77 00 65 00 5c 00  3.d.8.b.b.w.e.\\.\n    000000d0  6d 00 73 00 74 00 65 00-61 00 6d 00 73 00 2e 00  m.s.t.e.a.m.s...\n    000000e0  65 00 78 00 65 00 00 00                          e.x.e...\n\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x11\n",
    "Action": "%%16390",
    "CalloutKey": "00000000-0000-0000-0000-000000000000",
    "CalloutName": "-"
  },
  "message": ""
}

Detection Patterns #

References #