Ever wondered what’s really happening under the hood of your Windows systems? Every click, every script, every application launch sparks a new process. And just as quickly, these processes end. For cybersecurity pros, the birth and death of these processes – tracked by Windows Event IDs 4688 (Process Creation) and 4689 (Process Termination) – are golden nuggets of information, essential for threat hunting, incident response, and beefing up your overall security posture.
Many security teams are surprised to learn that this critical logging isn’t switched on by default in Windows. So, if you’re diving into a threat hunt expecting to find a trail of 4688s and 4689s, you might come up empty-handed unless someone has proactively enabled them.
Let’s explore why these events are so crucial and how you can start leveraging them.
Think about it: every piece of software, good or bad, starts as a process. Malware, ransomware, and attacker tools all need to execute. By monitoring process creation (Event ID 4688), you gain visibility into:
powershell.exe -enc <base64_encoded_payload>
).Similarly, process termination (Event ID 4689) tells you when these activities stop. This might seem less exciting, but it can be vital for understanding the lifecycle of an attack or identifying unexpected crashes of critical security tools.
These logs are invaluable for:
mimikatz.exe
appearing or powershell.exe
running suspicious scripts.This is the most important takeaway: Windows Process Creation (4688) and Process Termination (4689) events are part of the “Detailed Tracking” category within the Advanced Audit Policy Configuration, and they are NOT enabled by default.
If you want to use these powerful events, you need to turn them on. Don’t assume they’re being collected!
You have two main ways to enable these audit settings:
Local Security Policy (for a single machine or non-domain joined machines):
Security Settings
-> Advanced Audit Policy Configuration
-> System Audit Policies - Local Group Policy Object
-> Detailed Tracking
.Group Policy (GPO) (Preferred for domain environments):
Computer Configuration
-> Policies
-> Windows Settings
-> Security Settings
-> Advanced Audit Policy Configuration
-> Audit Policies
-> Detailed Tracking
.A Word on “Noise” and Tuning: Enabling these logs, especially 4688, can generate a significant volume of events, particularly on busy servers or workstations. This is often referred to as being “loud.” While the data is invaluable, be prepared to filter and tune your collection, especially if you’re sending these logs to a SIEM (Security Information and Event Management) system. You’ll want to focus on what’s relevant and avoid overwhelming your storage or analysis tools.
When a process is created, Event ID 4688 logs a wealth of information, including:
Threat Hunting Ideas with 4688:
cmd.exe
.C:\Windows\Temp\
, C:\Users\<username>\AppData\Local\Temp\
, or network shares.mimikatz.exe
, procdump.exe
(used legitimately but also by attackers), psexec.exe
(if not typically used in your environment or by specific users).powershell.exe
with encoded commands, download cradles, or execution policy bypasses.mshta.exe
executing remote HTA files.certutil.exe
to download files.wmic.exe
for process execution or reconnaissance.Event ID 4689 marks the end of a process. It contains less detail than 4688 but is still useful:
Threat Hunting Ideas with 4689 (often in conjunction with 4688):
Process creation and termination logs offer an unparalleled view into endpoint activity. While they require a deliberate effort to enable and manage, the insights they provide for threat hunting and incident response are indispensable.
Take the time to enable these logs in your environment, even if it’s just on a subset of critical systems to start. Familiarize yourself with normal process behavior, and then start looking for the outliers. You might be surprised what you find lurking!
Our products are designed to work with
you and keep your network protected.
Insane Cyber © All Rights Reserved 2025