
This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.
Process tracking events reveal what actually executes on Windows systems. While authentication events show who accessed systems, process events show what they did—the actual commands, scripts, and tools involved in both legitimate work and attacks.
Event ID 4688 logs process creation. By default, it records the process name and user. With proper configuration, it also captures the command line—dramatically increasing investigative value.
Enable command line logging through Group Policy: Computer Configuration > Administrative Templates > System > Audit Process Creation > Include command line in process creation events.
The process creation record includes:
Process relationships reveal attack chains. Normal processes have expected parents:
Word spawning PowerShell - Classic macro-based malware behavior
Services.exe spawning cmd.exe - Possible malicious service
WmiPrvSE.exe spawning processes - WMI-based execution
svchost.exe with unexpected children - Process injection or malicious service
Living off the land binaries (LOLBins) - Legitimate Windows binaries abused for malicious purposes: certutil downloading files, mshta executing scripts, regsvr32 loading remote COM objects.
Encoded PowerShell commands - Base64-encoded commands often hide malicious activity. Look for -EncodedCommand or -enc flags.
Suspicious paths - Executables running from temp directories, public folders, or recycle bin locations.
Command line red flags - Downloading content (Invoke-WebRequest, certutil), disabling security features (Set-MpPreference), clearing logs (wevtutil), establishing persistence (schtasks, reg add).
Combine process monitoring with other data sources. Process execution context helps interpret network connections, file modifications, and other activities.
What is PowerShell logging?
What Event ID captures PowerShell scripts?
How do you detect malicious PowerShell?
What term describes hiding malicious code?
Found the flag? Submit it below to complete this lesson.
Format: LOOPUS{...}