Why/How to Threat Hunting With Windows Process Creation/Termination (Event ID 4688/4689) Logs

Unmasking Threats: A Guide to Threat Hunting with Windows Process Creation (4688) & Termination (4689) Logs

Ever wondered what’s really happening under the hood of your Windows systems? Every click, every script, every application launch sparks a new process. And just as quickly, these processes end. For cybersecurity pros, the birth and death of these processes – tracked by Windows Event IDs 4688 (Process Creation) and 4689 (Process Termination) – are golden nuggets of information, essential for threat hunting, incident response, and beefing up your overall security posture.

Many security teams are surprised to learn that this critical logging isn’t switched on by default in Windows. So, if you’re diving into a threat hunt expecting to find a trail of 4688s and 4689s, you might come up empty-handed unless someone has proactively enabled them.

Let’s explore why these events are so crucial and how you can start leveraging them.

Why Process Creation & Termination Logs Are a Game-Changer

Think about it: every piece of software, good or bad, starts as a process. Malware, ransomware, and attacker tools all need to execute. By monitoring process creation (Event ID 4688), you gain visibility into:

  • What applications are running: Including potentially unauthorized or malicious tools.
  • Who or what initiated the process: Was it a user, a scheduled task, or another process?
  • The command line arguments used: This can reveal the specific actions a process was instructed to perform, often exposing malicious intent (e.g., powershell.exe -enc <base64_encoded_payload>).

Similarly, process termination (Event ID 4689) tells you when these activities stop. This might seem less exciting, but it can be vital for understanding the lifecycle of an attack or identifying unexpected crashes of critical security tools.

These logs are invaluable for:

  • Threat Hunting: Proactively searching for signs of compromise, like a process named mimikatz.exe appearing or powershell.exe running suspicious scripts.
  • Incident Response: Retracing an attacker’s steps by seeing exactly what commands they executed.
  • Expanding Security Visibility: Understanding normal process behavior to better spot anomalies.

The Catch: These Logs Aren’t On by Default!

This is the most important takeaway: Windows Process Creation (4688) and Process Termination (4689) events are part of the “Detailed Tracking” category within the Advanced Audit Policy Configuration, and they are NOT enabled by default.

If you want to use these powerful events, you need to turn them on. Don’t assume they’re being collected!

How to Enable Process Creation & Termination Auditing

You have two main ways to enable these audit settings:

  1. Local Security Policy (for a single machine or non-domain joined machines):

    • Open the Start Menu and search for “Local Security Policy.”
    • Navigate to: Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies - Local Group Policy Object -> Detailed Tracking.
    • In the right-hand pane, find “Audit Process Creation” and “Audit Process Termination.”
    • Open each one, and check the boxes for both “Success” and “Failure” events. Click “Apply” and “OK.”
  2. Group Policy (GPO) (Preferred for domain environments):

    • Using the Group Policy Management Console (GPMC), you can create or edit a GPO that applies to the desired Organizational Units (OUs) or the entire domain.
    • Navigate within the GPO editor to: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Detailed Tracking.
    • Configure “Audit Process Creation” and “Audit Process Termination” to log “Success” and “Failure” events.

A Word on “Noise” and Tuning: Enabling these logs, especially 4688, can generate a significant volume of events, particularly on busy servers or workstations. This is often referred to as being “loud.” While the data is invaluable, be prepared to filter and tune your collection, especially if you’re sending these logs to a SIEM (Security Information and Event Management) system. You’ll want to focus on what’s relevant and avoid overwhelming your storage or analysis tools.

Deep Dive: Event ID 4688 (Process Creation) – What to Look For

When a process is created, Event ID 4688 logs a wealth of information, including:

  • Subject Account Name/ID: The user or system account that initiated the new process.
  • New Process Name: The full path to the executable.
  • Creator Process Name/ID: The process that actually spawned this new process.
  • Command Line: This is often the most revealing field, showing the exact command and arguments used.

Threat Hunting Ideas with 4688:

  • Suspicious Parent-Child Relationships: Word spawning PowerShell, or Outlook creating cmd.exe.
  • Execution from Odd Locations: Binaries running from C:\Windows\Temp\, C:\Users\<username>\AppData\Local\Temp\, or network shares.
  • Known Malicious Tool Names: Look for processes like mimikatz.exe, procdump.exe (used legitimately but also by attackers), psexec.exe (if not typically used in your environment or by specific users).
  • Living-Off-the-Land Binaries (LoLBins): Attackers love using legitimate Windows tools for malicious purposes. Monitor command lines for:
    • powershell.exe with encoded commands, download cradles, or execution policy bypasses.
    • mshta.exe executing remote HTA files.
    • certutil.exe to download files.
    • wmic.exe for process execution or reconnaissance.
  • High-Value or Disabled Accounts: Processes initiated by highly privileged accounts outside of normal administrative tasks, or any activity from disabled accounts.
  • Unusual Account Behavior: Accounts running processes they typically don’t, or activity outside of standard working hours.

Deep Dive: Event ID 4689 (Process Termination) – Completing the Picture

Event ID 4689 marks the end of a process. It contains less detail than 4688 but is still useful:

  • Process Name & ID: Identifies the process that terminated.
  • Account Information: The context under which the process was running.
  • Exit Status: Can sometimes indicate if a process crashed or exited unexpectedly.

Threat Hunting Ideas with 4689 (often in conjunction with 4688):

  • Tampering with Processes: If you correlate a 4688 (creation) with its corresponding 4689 (termination) using the Process ID, you might notice discrepancies if an attacker tried to modify or hijack a legitimate process mid-flight (though this is advanced).
  • Critical Process Exits: If essential security tools (e.g., EDR agent, antivirus) or system processes terminate unexpectedly, it could be a sign of tampering or instability caused by malware.
  • Short-Lived Processes: Some malicious scripts or commands execute very quickly. Correlating creation and rapid termination might highlight hit-and-run tactics.

Start Hunting!

Process creation and termination logs offer an unparalleled view into endpoint activity. While they require a deliberate effort to enable and manage, the insights they provide for threat hunting and incident response are indispensable.

Take the time to enable these logs in your environment, even if it’s just on a subset of critical systems to start. Familiarize yourself with normal process behavior, and then start looking for the outliers. You might be surprised what you find lurking!

 

See how Insane Cyber transforms security

Our products are designed to work with
you and keep your network protected.