Event ID 4688 — A new process has been created.
Description
A new process has been created.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Creator Subject] Security ID. |
SubjectUserName UnicodeString | [Creator Subject] Account Name. |
SubjectDomainName UnicodeString | [Creator Subject] Account Domain. |
SubjectLogonId HexInt64 | [Creator Subject] Logon ID. |
NewProcessId Pointer | [Process Information] New Process ID. |
NewProcessName UnicodeString | [Process Information] New Process Name. |
TokenElevationType UnicodeString | [Process Information] Token Elevation Type. Known values
|
ProcessId Pointer | [Process Information] Creator Process ID. |
CommandLine UnicodeString | [Process Information] Process Command Line. |
TargetUserSid SID | [Target Subject] Security ID. |
TargetUserName UnicodeString | [Target Subject] Account Name. |
TargetDomainName UnicodeString | [Target Subject] Account Domain. |
TargetLogonId HexInt64 | [Target Subject] Logon ID. |
ParentProcessName UnicodeString | [Process Information] Creator Process Name. |
MandatoryLabel SID | [Process Information] Mandatory Label. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4688,
"version": 2,
"level": 0,
"task": 13312,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:27.153945+00:00",
"event_record_id": 2753,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 336
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "-",
"SubjectDomainName": "-",
"SubjectLogonId": "0x3e7",
"NewProcessId": "0x328",
"NewProcessName": "C:\\Windows\\System32\\lsass.exe",
"TokenElevationType": "%%1936",
"ProcessId": "0x27c",
"CommandLine": "",
"TargetUserSid": "S-1-0-0",
"TargetUserName": "-",
"TargetDomainName": "-",
"TargetLogonId": "0x0",
"ParentProcessName": "C:\\Windows\\System32\\wininit.exe",
"MandatoryLabel": "S-1-16-16384"
},
"message": ""
}
Detection Patterns #
Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation
429 rules
Sigma
Show 411 more (414 total)
Splunk
Show 11 more (14 total)
Kusto Query Language
Defender-DeviceProcessEvents Event ID 9001000: Process activityORSecurity-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation
26 rules
Kusto Query Language
Show 23 more (26 total)
Defender-DeviceProcessEvents Event ID 9001000: Process activityANDSecurity-Auditing Event ID 4688: A new process has been created.ANDSysmon Event ID 1: Process creation
14 rules
Kusto Query Language
Show 11 more (14 total)
Normalized Process Events
Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4689: A process has exited.ORSysmon Event ID 1: Process creationOREvent ID 5: Process terminated
7 rules
Kusto Query Language
Defender-DeviceProcessEvents Event ID 9001000: Process activity→Security-Auditing Event ID 4688: A new process has been created.→Sysmon Event ID 1: Process creation
7 rules
Kusto Query Language
(Security-Auditing Event ID 4688: A new process has been created.ANDSysmon Event ID 11: FileCreate)OR(Event ID 1: Process creationANDEvent ID 11: FileCreate)
7 rules
Splunk
Normalized Process Events
Asim Version
Security-Auditing Event ID 4663: An attempt was made to access an object.OREvent ID 4688: A new process has been created.
2 rules
Privilege Escalation: Bypass User Account Control
Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4688: A new process has been created.
1 rule
Kusto Query Language
Defense Evasion: Impair Defenses
Security-Auditing Event ID 4670: Permissions on an object were changed.OREvent ID 4688: A new process has been created.
1 rule
Kusto Query Language
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 19: WmiEventOREvent ID 20: WmiEventOREvent ID 21: WmiEvent
1 rule
Kusto Query Language
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4688: A new process has been created.→Event ID 4697: A service was installed in the system.→Event ID 4698: A scheduled task was created.→Event ID 4699: A scheduled task was deleted.→Event ID 4700: A scheduled task was enabled.→Event ID 4701: A scheduled task was disabled.→Event ID 4702: A scheduled task was updated.→Event ID 5145: A network share object was checked to see whether client can be granted desired access.
1 rule
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Chromium Browser Headless Execution To Mockbin Like Site source high: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
- NtdllPipe Like Activity Execution source high: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
- Potentially Suspicious Child Process Of ClickOnce Application source medium: Detects potentially suspicious child processes of a ClickOnce deployment application
Show 17 more (55 total)
- Potential Discovery Activity Via Dnscmd.EXE source medium: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
- Uncommon FileSystem Load Attempt By Format.com source high: Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
- Potentially Suspicious GoogleUpdate Child Process source high: Detects potentially suspicious child processes of "GoogleUpdate.exe"
- Arbitrary Binary Execution Using GUP Utility source medium: Detects execution of the Notepad++ updater (gup) to launch other commands or executables
- HackTool - LaZagne Execution source medium: Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
- HackTool - Wmiexec Default Powershell Command source high: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
- ImagingDevices Unusual Parent/Child Processes source high: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
- Suspicious Execution of InstallUtil Without Log source medium: Uses the .NET InstallUtil.exe application in order to execute image without log
- Suspicious Shells Spawn by Java Utility Keytool source high: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
- Suspicious Processes Spawned by Java.EXE source high: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
- Shell Process Spawned by Java.EXE source medium: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
- Potentially Suspicious Execution Of PDQDeployRunner source medium: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
- Suspicious Obfuscated PowerShell Code source high: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
- Email Exifiltration Via Powershell source high: Detects email exfiltration via powershell cmdlets
- Potential Suspicious Windows Feature Enabled - ProcCreation source medium: Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
- Suspicious PowerShell Invocations - Specific - ProcessCreation source medium: Detects suspicious PowerShell invocation command parameters
- Suspicious PowerShell Mailbox Export to Share source critical: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Elastic # view in reference
- Potential LSASS Clone Creation via PssCaptureSnapShot source high: Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
Kusto Query Language # view in reference
- SUNBURST suspicious SolarWinds child processes source medium: Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
- Unusual identity creation using exchange powershell source high: ' The query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/'
- Identify Mango Sandstorm powershell commands source high: 'The query below identifies powershell commands used by the threat actor Mango Sandstorm. Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/'
Show 16 more (19 total)
- Midnight Blizzard - suspicious rundll32.exe execution of vbscript source medium: 'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
- Midnight Blizzard - Script payload stored in Registry source medium: 'This query identifies when a process execution command-line indicates that a registry value is written to allow for later execution a malicious script References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
- Silk Typhoon New UM Service Child Process source medium: 'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
- Powershell Empire Cmdlets Executed in Command Line source medium: 'This query identifies use of PowerShell Empire's cmdlets within the command line data of the PowerShell process, indicating potential use of the post-exploitation tool.'
- DEV-0270 New User Creation source high: 'The following query tries to detect creation of a new user using a known DEV-0270 username/password schema'
- Dev-0270 Malicious Powershell usage source high: 'DEV-0270 heavily uses powershell to achieve their objective at various stages of their attack. To locate powershell related activity tied to the actor, Microsoft Sentinel customers can run the following query.'
- Dev-0270 Registry IOC - September 2022 source high: 'The query below identifies modification of registry by Dev-0270 actor to disable security feature as well as to add ransom notes'
- Dev-0270 WMIC Discovery source high: 'The query below identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment.'
- Windows Binaries Executed from Non-Default Directory source medium: 'The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\Windows\, C:\Windows\System32 etc.). Ref: https://lolbas-project.github.io/'
- Caramel Tsunami Actor IOC - July 2021 source high: 'Identifies a match across IOC's related to an actor tracked by Microsoft as Caramel Tsunami'
- Chia_Crypto_Mining IOC - June 2021 source low: 'Identifies a match across IOC's related to Chia cryptocurrency farming/plotting activity'
- NRT Base64 Encoded Windows Process Command-lines source medium: 'This detection identifies instances of a base64 encoded PE file header seen in the process command line parameter.'
- NRT Process executed from binary hidden in Base64 encoded file source medium: 'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. The third one is looking for Ruby decoding base64.'
- New EXE deployed via Default Domain or Default Domain Controller Policies source high: 'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files. A threat actor may use these policies to deploy files or scripts to all hosts in a domain.'
- Potential re-named sdelete usage source low: 'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive. A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.'
- Sdelete deployed via GPO and run recursively source medium: 'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4688
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/evtx-4688-process-created.md