From c68106b37ce73468593f2ed7d73e363262cb592d Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 26 Aug 2019 17:22:11 +0500 Subject: [PATCH 01/12] Update event-5155.md --- .../threat-protection/auditing/event-5155.md | 128 ++++++++++++++---- 1 file changed, 105 insertions(+), 23 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index 934f310147..de9e17504d 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -24,35 +24,47 @@ By default Windows firewall won't prevent a port from being listened by an appli You can add your own filters using the WFP APIs to block listen to reproduce this event: . -There is no event example in this document. - ***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md) -***Event Schema:*** +***Event Description:*** -*The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.* +This event generates every time [Windows Filtering Platform](https://docs.microsoft.com/windows/win32/fwp/windows-filtering-platform-start-page) blocks an application or service from listening on a port for incoming connections. -*Application Information:* +
-> *Process ID:%1* -> -> *Application Name:%2* +***Event XML:*** +``` + + + + 5155 + 0 + 0 + 12810 + 0 + 0x8010000000000000 + + 42196 + + + Security + NATHAN-AGENT2 + + + + 2628 + \device\harddiskvolume2\users\test\desktop\netcat\nc.exe + 0.0.0.0 + 5555 + 6 + 84576 + %%14609 + 40 + + -*Network Information:* - -> *Source Address:%3* -> -> *Source Port:%4* -> -> *Protocol:%5* - -*Filter Information:* - -> *Filter Run-Time ID:%6* -> -> *Layer Name:%7* -> -> *Layer Run-Time ID:%8* +``` ***Required Server Roles:*** None. @@ -60,6 +72,76 @@ There is no event example in this document. ***Event Versions:*** 0. +***Field Descriptions:*** + +**Application Information**: + +- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): + + Task manager illustration + + If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager. + + You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**. + + + +- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process. + + Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**: + +DiskPart illustration + +**Network Information:** + +- **Source Address** \[Type = UnicodeString\]**:** the local IP address of the computer running the application. + + - IPv4 Address + + - IPv6 Address + + - :: - all IP addresses in IPv6 format + + - 0.0.0.0 - all IP addresses in IPv4 format + + - 127.0.0.1 , ::1 - localhost + +- **Source Port** \[Type = UnicodeString\]**:** the port number used by the application. + +- **Protocol** \[Type = UInt32\]: the protocol number being used. + +| Service | Protocol Number | +|----------------------------------------------------|-----------------| +| Internet Control Message Protocol (ICMP) | 1 | +| Transmission Control Protocol (TCP) | 6 | +| User Datagram Protocol (UDP) | 17 | +| General Routing Encapsulation (PPTP data over GRE) | 47 | +| Authentication Header (AH) IPSec | 51 | +| Encapsulation Security Payload (ESP) IPSec | 50 | +| Exterior Gateway Protocol (EGP) | 8 | +| Gateway-Gateway Protocol (GGP) | 3 | +| Host Monitoring Protocol (HMP) | 20 | +| Internet Group Management Protocol (IGMP) | 88 | +| MIT Remote Virtual Disk (RVD) | 66 | +| OSPF Open Shortest Path First | 89 | +| PARC Universal Packet Protocol (PUP) | 12 | +| Reliable Datagram Protocol (RDP) | 27 | +| Reservation Protocol (RSVP) QoS | 46 | + +**Filter Information:** + +- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field. + + To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As a result of this command, **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**<filterId>**)**,** for example: + + Filters.xml file illustration + +- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. + +- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example: + +Wfpstate xml illustration + ## Security Monitoring Recommendations - If you use Windows Filtering Platform APIs to block application or services from listening on a port, then you can use this event for troubleshooting and monitoring. From a302fc19fe303d453f321bd9858819cfdd66f9f3 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 28 Aug 2019 15:30:27 +0500 Subject: [PATCH 02/12] Update windows/security/threat-protection/auditing/event-5155.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/event-5155.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index de9e17504d..ac2e1deec7 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -28,7 +28,7 @@ You can add your own filters using the WFP APIs to block listen to reproduce thi ***Event Description:*** -This event generates every time [Windows Filtering Platform](https://docs.microsoft.com/windows/win32/fwp/windows-filtering-platform-start-page) blocks an application or service from listening on a port for incoming connections. +This event generates every time the [Windows Filtering Platform](https://docs.microsoft.com/windows/win32/fwp/windows-filtering-platform-start-page) blocks an application or service from listening on a port for incoming connections.
From 536bdb57c57dcc8e454b42f496c74e4387750f6a Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 28 Aug 2019 15:30:39 +0500 Subject: [PATCH 03/12] Update windows/security/threat-protection/auditing/event-5155.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/event-5155.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index ac2e1deec7..d64947b8c8 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -86,7 +86,7 @@ This event generates every time the [Windows Filtering Platform](https://docs.mi -- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process. +- **Application Name** \[Type = UnicodeString\]**:** Full path and the name of the executable for the process. Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**: From aa4ff89329b7010aab8557ad071155f3fcb8e7b9 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 28 Aug 2019 15:31:05 +0500 Subject: [PATCH 04/12] Update windows/security/threat-protection/auditing/event-5155.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/event-5155.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index d64947b8c8..a0f9323cf9 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -76,7 +76,7 @@ This event generates every time the [Windows Filtering Platform](https://docs.mi **Application Information**: -- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): +- **Process ID** \[Type = Pointer\]: Hexadecimal Process ID (PID) of the process which was permitted to bind to the local port. The PID is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): Task manager illustration From 3b6c2fabda532b60a1b9519a366d3369a86c97ba Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 28 Aug 2019 15:31:33 +0500 Subject: [PATCH 05/12] Update windows/security/threat-protection/auditing/event-5155.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/event-5155.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index a0f9323cf9..f1ecd05750 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -88,7 +88,7 @@ This event generates every time the [Windows Filtering Platform](https://docs.mi - **Application Name** \[Type = UnicodeString\]**:** Full path and the name of the executable for the process. - Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**: + Logical disk is displayed in the format \\device\\harddiskvolume\#. You can get all local volume numbers by using the **diskpart** utility. The command to get volume numbers using diskpart is “**list volume**”: DiskPart illustration From 6a8d130e7781a84046863291ce121f3177cab356 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 28 Aug 2019 15:31:40 +0500 Subject: [PATCH 06/12] Update windows/security/threat-protection/auditing/event-5155.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/event-5155.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index f1ecd05750..edfe11c014 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -94,7 +94,7 @@ This event generates every time the [Windows Filtering Platform](https://docs.mi **Network Information:** -- **Source Address** \[Type = UnicodeString\]**:** the local IP address of the computer running the application. +- **Source Address** \[Type = UnicodeString\]**:** The local IP address of the computer running the application. - IPv4 Address From 4718bfeb5ab6d0d849007cd3062ac5273876cb73 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 28 Aug 2019 15:31:47 +0500 Subject: [PATCH 07/12] Update windows/security/threat-protection/auditing/event-5155.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/event-5155.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index edfe11c014..2556cef8e3 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -106,7 +106,7 @@ This event generates every time the [Windows Filtering Platform](https://docs.mi - 127.0.0.1 , ::1 - localhost -- **Source Port** \[Type = UnicodeString\]**:** the port number used by the application. +- **Source Port** \[Type = UnicodeString\]**:** The port number used by the application. - **Protocol** \[Type = UInt32\]: the protocol number being used. From 5fe14b637bd3330cd06a96798b824549f55e3965 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 28 Aug 2019 15:31:58 +0500 Subject: [PATCH 08/12] Update windows/security/threat-protection/auditing/event-5155.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/event-5155.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index 2556cef8e3..b0cf801a8d 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -132,7 +132,7 @@ This event generates every time the [Windows Filtering Platform](https://docs.mi - **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field. - To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As a result of this command, **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**<filterId>**)**,** for example: + To find a specific Windows Filtering Platform filter by ID, you need to execute the following command: **netsh wfp show filters**. As a result of this command, a **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**<filterId>**), for example: Filters.xml file illustration From 2ec695456a70137f45002de4b39ee7362fa9807e Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 28 Aug 2019 15:32:09 +0500 Subject: [PATCH 09/12] Update windows/security/threat-protection/auditing/event-5155.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/event-5155.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index b0cf801a8d..5555db94bd 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -138,7 +138,7 @@ This event generates every time the [Windows Filtering Platform](https://docs.mi - **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. -- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example: +- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, you need to execute the following command: **netsh wfp show state**. As result of this command, a **wfpstate.xml** file will be generated. You need to open this file and find the specific substring with the required layer ID (**<layerId>**), for example: Wfpstate xml illustration From 05e46457a066ebbbe61c7cd807fa191bc40825e2 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 28 Aug 2019 15:32:19 +0500 Subject: [PATCH 10/12] Update windows/security/threat-protection/auditing/event-5155.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/event-5155.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index 5555db94bd..210c9bf842 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -130,7 +130,7 @@ This event generates every time the [Windows Filtering Platform](https://docs.mi **Filter Information:** -- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field. +- **Filter Run-Time ID** \[Type = UInt64\]: A unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding to an application, and if this application doesn’t match any filters, you will get a 0 value in this field. To find a specific Windows Filtering Platform filter by ID, you need to execute the following command: **netsh wfp show filters**. As a result of this command, a **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**<filterId>**), for example: From 107f34dc380cde2f449a67e2bea9ad56acc64861 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 28 Aug 2019 15:32:42 +0500 Subject: [PATCH 11/12] Update windows/security/threat-protection/auditing/event-5155.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/security/threat-protection/auditing/event-5155.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index 210c9bf842..4b62fee658 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -33,7 +33,7 @@ This event generates every time the [Windows Filtering Platform](https://docs.mi
***Event XML:*** -``` +```xml From 27117649bb918b4995980a0398723907ae9702a9 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 28 Aug 2019 15:32:56 +0500 Subject: [PATCH 12/12] Update windows/security/threat-protection/auditing/event-5155.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/security/threat-protection/auditing/event-5155.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index 4b62fee658..9964b6f390 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -63,7 +63,6 @@ This event generates every time the [Windows Filtering Platform](https://docs.mi 40 - ``` ***Required Server Roles:*** None.