Process Creation

Process Creation Monitoring and Analysis: A Key Pillar of Windows Security

Process creation events play a crucial role in detecting malicious activities within a Windows environment. This guide explores their significance, configuration, and practical analysis to enhance your forensic and threat-hunting capabilities.

Key Concepts of Process Creation Events

When enabled, Event ID 4688 logs every process initiated on a system. This event provides defenders with visibility into potentially malicious behavior.

Why It’s Important

  • Command Line Parameters: Offer detailed context, showing the intent behind each process.

  • Visibility: Critical for identifying unusual or unauthorized activities.

Enabling Process Creation Audit Logs

Step 1: Enable Process Creation Auditing

  1. Open Group Policy Editor:

    • Search for Edit Group Policy in the Windows search bar.

  2. Navigate to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking > Audit Process Creation.

  3. Set Audit Process Creation to Success.

Step 2: Enable Command Line Logging

  1. In Group Policy Editor, go to: Computer Configuration > Administrative Templates > System > Audit Process Creation.

  2. Enable Include Command Line in Process Creation Events.

Event Fields Breakdown

Once enabled, Event ID 4688 provides several key fields:

  • Account Name: User account responsible for executing the process.

  • New Process Name: Name of the newly created process.

  • Creator Process Name: Parent process initiating the new process.

  • Process Command Line: Full command line with arguments, offering critical insights.

Example Analysis

Consider the following example:

  • New Process Name: net.exe

  • Creator Process Name: cmd.exe

  • Process Command Line:

    net user Supp0rt LetsDefendEventLogs /add

This event reveals an attacker using net.exe to create a backdoor user account, Supp0rt, with the password LetsDefendEventLogs.

MITRE ATT&CK Context

The parent-child relationship between cmd.exe and net.exe, combined with the command line arguments, highlights an unauthorized account creation attempt.

Using Process Creation Logs for Threat Hunting

Indicators of Malicious Activity

  1. Unexpected Parent-Child Process Relationships:

    • Examples:

      • word.exe spawning powershell.exe

      • explorer.exe spawning cmd.exe

  2. Suspicious Command Line Arguments:

    • PowerShell Encoded Commands:

      powershell.exe -EncodedCommand ...

    • Net User Commands:

      net user ... /add

  3. Uncommon Process Names or Locations:

    • Processes running from non-standard directories like %TEMP% or %APPDATA%.

Centralized Logging with SIEM

  1. Centralize Logs: Collect Event ID 4688 in a SIEM platform to streamline correlation and analysis.

  2. Automate Alerts: Set up SIEM rules to flag suspicious processes and command line patterns.

Key Points

Process creation events, especially when enriched with command line arguments, are invaluable in detecting and responding to malicious activities. By enabling these logs and leveraging them for analysis, security analysts can:

  • Monitor suspicious activity

  • Identify potential threats

  • Strengthen enterprise security

PreviousAdvanced Event Log AnalysisNextDNS Activity

Last updated