A new process has been created
A new process has been created on the system. Tracks process execution, creator process ID (parent process), and full command-line arguments when enabled.
Event ID 4688 is one of the most critical telemetry sources for endpoint threat hunting. When 'Include command line in process creation events' is enabled via Group Policy, this event logs exact executable paths, parent-child process relationships (`Creator Process ID`), and complete command-line arguments passed to the application upon spawn.
Failure Reason / Root Cause:
Standard operating system process launches, application execution, script execution (`powershell.exe`, `cmd.exe`), or malicious payload detonation.
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.876Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to A new process has been created -->
</EventData>
</Event>MITRE ATT&CK mapping
| ID | Technique | Tactic |
|---|---|---|
T1059.001 | Command and Scripting Interpreter: PowerShell | Execution |
T1218 | System Binary Proxy Execution | Defense Evasion |
Recommended actions
- Enable Group Policy 'Include command line in process creation events' across all servers and workstations.
- Hunt for suspicious parent-child process anomalies (e.g., `winword.exe` spawning `powershell.exe` or `wscript.exe`).
- Monitor for execution of living-off-the-land binaries (LOLBINs) such as `certutil.exe`, `vssadmin.exe`, `bitsadmin.exe`, and `mshta.exe` with suspicious parameters.