Audit Process Creation And Command Line
If leveraging process creation events from the Windows Security log for detections, enabling command line auditing for Windows Event ID 4688 (Process Creation) is required. When enabled, Windows records the full command line of newly created processes in the Security event log.
To enable the record of command line in process creation events across a group of servers using Active Directory Group Policies, administrators must enable the Include command line in process creation events policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
Computer Configuration >
Administrative Templates >
System >
Audit Process Creation >
Include command line in process creation events (Enable)
Additionally, confirm that the Audit Process Creation policy is enabled:
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Configuration >
Detailed Tracking >
Audit Process Creation (Success)
To enable process creation and command line auditing on non-domain-joined servers, follow these steps with Administrative privileges:
- Enable Process Creation Audit
Run the following command to enable auditing for process creation:
auditpol.exe /set /subcategory:"Process Creation" /success:enable /failure:enable
- Enable Command Line Logging
Modify the registry to include command-line details in process creation logs:
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
When this audit policy is enabled, the following event IDs may be generated:
- 4688: A new process has been created.
- 4696: A primary token was assigned to process.
Use the following GitHub search to identify rules that use the events listed: