InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Security.evtx - 4688: A new process has been created
  • Artefacts
  • References
  1. DFIR
  2. Windows
  3. TTPs analysis

Program execution

PreviousPowerShell activityNextTimestomping

Last updated 1 year ago

Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: .

Security.evtx - 4688: A new process has been created

Event: 4688: A new process has been created. Location: victim Security hive. Requires Audit Process Creation to be enabled.

This event is logged upon the creation of every new process on the system.

The NewProcessName field stores the full path of the process's executable and the ProcessId field the Process ID (PID) of the process. The ParentProcessName field logs the parent process's executable full path and can be used to identity suspicious processes activity, such as outlook.exe or iexplorer.exe starting cmd.exe or powershell.exe processes.

This event includes the SID SubjectUserSid, account name SubjectUserName, and domain SubjectDomainName of the user creating the process. Additionally, the SubjectLogonId field can be used to correlate the process creation with the logon session, event EID: 4624.

The TokenElevationType field represent the privileges of the process and can take the following values:

Flag
Correspondence
Description

%%1936

TokenElevationTypeDefault

The process is started with a full token with no privileges removed or groups disabled. A full token is only used if User Account Control (UAC) is disabled or if the user starting the process is the built-in Administrator (RID: 500), NT AUTHORITY\SYSTEM or service account.

%%1937

TokenElevationTypeFull

The process is started with an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control (UAC) is enabled and the user chooses to start the program in a elevated security context (Run as administrator for example).

%%1938

TokenElevationTypeLimited

The process is started with limited privileges, and privileged tokens such as SeImpersonatePrivilege, SeDebugPrivilege, etc. are removed from the process security context.

If the ProcessCreationIncludeCmdLine_Enabled audit policy is enabled, the command line specified at the process creation will be logged in the ProcessCommandLine field.

This event is followed by the Security event 4689: Process Termination: Success and Failure upon the termination of the process.

Artefacts

For an overview of the artefacts related to programs execution (SRUM, UserAssist, BAM / DAM, Shimcache, Amcache, Prefetch, ...), refer to the .

References

https://digital-forensics.sans.org/media/dfir_poster_2014.pdf https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688

artefacts.help
artefacts overview note