5154 The Windows Filtering Platform permitted an application to listen on a port
Written when the Windows Filtering Platform (WFP) permits an application/service to listen on a port for incoming connections. It captures which program opened which port.
Overview
The subcategory is Audit Filtering Platform Connection. It is generated when WFP permits an application or service to listen on a port for inbound connections. It is the “permit” counterpart to the block 5031.
How it is triggered
- When a program opens an inbound port and begins listening, and that is permitted.
Security review points
- You can learn which program began listening on which port. If an unfamiliar program, or a process that should not normally listen, opens a port, suspect installation of a backdoor/listener.
- Note permitted listening by programs in temp folders or non-standard paths. Correlate with process creation 4688 to trace the program’s profile. Together with blocked listening 5031, understand the listen posture.
Notes for log review
- It occurs daily with legitimate server apps and services. Baseline the programs and ports of permitted listening and narrow to unknown/suspicious listeners.
- Confirm listening on high ports, or listening by unfamiliar executables, at high priority.
Key fields
| Field | Meaning |
|---|---|
Application | The program permitted to listen |
Source Port / Protocol | The opened port |