Event 4688: A new process has been created.
Quick Answer
Event 4688 logs every new process created on a Windows system, including the process name, command line arguments, parent process, and user account. This event is essential for detecting malware execution, living-off-the-land binary abuse, and suspicious command-line activity.
Technical Details
Event ID: 4688
Windows Security- Process Execution
Event Description
A new process has been created.
Analyst Notes & Scenarios
- Key Fields: NewProcessName/Image, CommandLine, ParentProcessName.
- Look for suspicious parent-child relationships (e.g., Office apps spawning cmd.exe/powershell.exe, services spawning unexpected processes like whoami.exe).
- Analyze CommandLine for obfuscated/encoded scripts, suspicious flags, network destinations, or sensitive file paths.
- Enable 'Include command line in process creation events' group policy.
- Can be noisy; requires baseline understanding and potentially filtering.
Key Log Fields
SubjectUserName- Account that created the processSubjectDomainName- Domain of the accountSubjectLogonId- Logon ID for correlationNewProcessName- Full path of the new process executableNewProcessId- Process ID (PID) of the new processTokenElevationType- Token elevation type (%%1936=Type 1/Default, %%1937=Type 2/Full, %%1938=Type 3/Limited)CreatorProcessId- PID of the parent processCreatorProcessName- Full path of the parent processCommandLine- Full command line with arguments (requires audit policy configuration)MandatoryLabel- Integrity level (e.g., High, Medium, Low, System)
MITRE ATT&CK® Mapping (20)
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain. Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)
Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason) On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at) Adversaries may use [at](https://attack.mitre.org/software/S0110) to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote [Execution](https://attack.mitre.org/tactics/TA0002) as part of [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or to run a process under the context of a specified account (such as SYSTEM). In Linux environments, adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via <code>sudo</code>.(Citation: GTFObins at)
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red Team) An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent) Adversaries may also create "hidden" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments)
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
Event Comparison
Event 4688 is similar to Sysmon Event 1 but with less detail. Sysmon provides file hashes, signature status, and parent command lines that 4688 lacks.
What This Event Means
Event 4688 provides comprehensive visibility into process execution activity on Windows systems, making it invaluable for threat detection and incident response. This event captures the executable filename, full command line with all parameters, the parent process that spawned it, the user account context, process ID, and token elevation information. The command line logging capability must be explicitly enabled through Group Policy, but once activated it reveals exactly how attackers are executing their tools and living-off-the-land binaries. Security analysts use 4688 to detect malicious PowerShell execution, suspicious wscript or cscript usage, unusual parent-child process relationships, and command obfuscation techniques. For example, legitimate Microsoft Office applications should not spawn PowerShell or cmd.exe processes, making such combinations immediate red flags. The event also captures process integrity levels and privilege escalation attempts through token elevation information, helping identify attempts to bypass User Account Control or gain SYSTEM-level access.
Security Implications
- PowerShell with encoded commands (-EncodedCommand) often indicates malware or attack frameworks like Cobalt Strike
- Office applications spawning scripting engines (powershell.exe, wscript.exe) suggest macro-based malware
- Unusual parent-child relationships like explorer.exe spawning cmd.exe from suspicious directories indicate process injection
- Remote execution tools (psexec.exe, winrm.exe) appearing outside maintenance windows may signal lateral movement
- LOLBins (Living Off the Land Binaries) like certutil.exe, bitsadmin.exe used for file downloads are attack indicators
Detection Strategies
Build a baseline of normal process execution patterns in your environment, focusing on parent-child relationships and typical command-line parameters. Alert on any process spawned from Office applications, especially scripting engines or network utilities. Monitor for PowerShell execution with suspicious parameters like -EncodedCommand, -WindowStyle Hidden, or IEX (Invoke-Expression). Track usage of LOLBins in unusual contexts, such as certutil.exe downloading files or regsvr32.exe executing remote scripts. Detect obfuscation techniques like excessive special characters, base64 encoding, or command concatenation. Correlate process creation with network connections (Sysmon Event 3) to identify command-and-control beaconing. Note: Pre-built detection signatures for major SIEM platforms will be added in upcoming releases.
Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.
Real-World Attack Examples
Emotet malware creates process chains: Word.exe → PowerShell.exe → cmd.exe → malicious payload, all visible in 4688 events
APT32 (OceanLotus) used certutil.exe to download second-stage payloads, captured in 4688 command line arguments
Lazarus Group executed encoded PowerShell commands through WMI, leaving distinctive 4688 event signatures