ETW - Process creation | artifacts.help

Channel: Security.
Events: 4688, 4689.

Overview

Channel	Conditions	Events
`Security`	Requires `Audit Process Creation` to be enabled. Requires `ProcessCreationIncludeCmdLine_Enabled` to be enabled for the command line to be logged.	Event `4688: A new process has been created`. Logged upon the creation of every new process on the system.
`Security`	Requires `Audit Process Creation` to be enabled.	Event `4689: Process Termination: Success and Failure` Logged upon the termination of the process.

Fields of interest

Process and parent process names

The NewProcessName field stores the full path of the process’s executable and the ProcessId field the Process ID (PID) of the process. The ParentProcessName field logs the parent process’s executable full path and can be used to identity suspicious processes activity, such as outlook.exe or iexplorer.exe starting cmd.exe or powershell.exe processes.

Associated user and logon session

This event includes the SID SubjectUserSid, account name SubjectUserName, and domain SubjectDomainName of the user creating the process. Additionally, the SubjectLogonId field can be used to correlate the process creation with the logon session (event ID 4624).

TokenElevationType

The TokenElevationType field represent the privileges of the process and can take the following values:

Flag	Correspondence	Description
`%%1936`	`TokenElevationTypeDefault`	The process is started with a full token with no privileges removed or groups disabled. A full token is only used if `User Account Control (UAC)` is disabled or if the user starting the process is the built-in `Administrator` (`RID: 500`), `NT AUTHORITY\SYSTEM` or service account.
`%%1937`	`TokenElevationTypeFull`	The process is started with an elevated token with no privileges removed or groups disabled. An elevated token is used when `User Account Control (UAC)` is enabled and the user chooses to start the program in a elevated security context (`Run as administrator` for example).
`%%1938`	`TokenElevationTypeLimited`	The process is started with limited privileges, and privileged tokens such as `SeImpersonatePrivilege`, `SeDebugPrivilege`, etc. are removed from the process security context.

ProcessCommandLine

If the ProcessCreationIncludeCmdLine_Enabled audit policy is enabled, the command line specified at the process creation will be logged in the ProcessCommandLine field.

Tags:

View on GitHub