Skip to main content
 
 
Splunk Lantern

Enabling Windows event log process command line logging via group policy object

 

Process command line logging enhances the Windows event ID 4688, providing visibility into any parameters passed through to the process at execution time. This additional context is often required to differentiate between benign process execution events and malicious activity.

The process command line field aligns event ID 4688 to the Endpoint.processes CIM data model, which hundreds of ESCU detections use to detect adversary methodologies, such as living off the land.

In order to follow this process, you'll need to ensure that the audit policy Audit Process Creation is enabled. This policy is required to generate event ID 4688. For the full list of required audit policies, see Configuring Windows security audit policies for Enterprise Security visibility.

Solution

In order to enhance event 4688, you'll need to create or modify a group policy that applies to all domain-joined devices.

  1. Navigate to Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation.
  2. Enable the policy setting named "Include command line in process creation events", and click OK.
    unnamed - 2024-02-29T104522.258.png

After you have done this, you'll see that your 4688 events contain extra context. An example of this can be seen in the image below that shows two 4688 events generated on the same host - one event with command line logging enabled and the other without.

Next steps

These resources might help you understand and implement this guidance:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.