5156 The Windows Filtering Platform has permitted a connection
Written when the Windows Filtering Platform (WFP) permits a network connection. It captures all permitted connections and is usable to detect outbound C2 communication and suspicious traffic.
Overview
The subcategory is Audit Filtering Platform Connection. It is generated each time WFP permits a connection (outbound/inbound). It includes the source/destination IP and port and the process involved. It is the “permit” event countering the block 5157.
How it is triggered
- When an app connects outbound, or accepts an inbound connection, and WFP permits it.
- Because it corresponds to all successful communication, it appears in extreme volume.
Security review points
- Detecting outbound C2 communication: you can learn which process connected to which destination IP/port. Note outbound connections by unfamiliar processes, non-standard ports, and connections to known malicious IPs/domains.
- Track patterns such as LOLBins (
powershell,rundll32, etc.) connecting outbound, or executables in temp folders communicating, by correlating with process creation 4688.
Notes for log review
- It is enormous since all permitted connections appear. Full volume always-on is impractical; narrow to aggregation by process, destination, and port, or to outbound connections from specific processes (PowerShell, etc.).
- Combine with EDR and proxy logs to evaluate destinations (threat-intelligence matching).
Key fields
| Field | Meaning |
|---|---|
Application | The process that connected |
Source/Destination Address / Port | The source and destination |
Direction | Outbound/inbound |
Glossary
- C2 (Command and Control) — communication for remotely operating a compromised machine from outside. It often disguises itself as normal ports/services to evade detection.