How to Interpret Windows Security Event ID 4688 in an Investigation
Introduction
According to Microsoft, event IDs (also called event identifiers) uniquely identify a particular event. It is a numerical identifier attached to each event logged by the Windows operating system. The identifier provides information about the event that occurred and can be used to identify and troubleshoot problems relating to system operations. An event, in this context, refers to any action performed by the system or a user on a system. These events can be viewed on Windows using the Event Viewer
The event ID 4688 is logged whenever a new process is created. It documents each program executed by the machine and its identifying data, including the creator, the target, and the process that started it. Several events are logged under the event ID 4688. Upon login, Session Manager Subsystem (SMSS.exe) is launched, and event 4688 is logged. If a system is infected by malware, the malware is likely to create new processes to run. Such processes would be documented under ID 4688.
Interpreting Event ID 4688
In order to interpret event ID 4688, it is important to understand the different fields included in the event log. These fields can be used to detect any irregularities and track the origin of a process back to its source.
- Creator Subject: this field provides information about the user account that requested the creation of a new process. This field provides context and can help forensic investigators identify anomalies. It includes several subfields, including:
- Security Identifier (SID)” According to Microsoft, the SID is a unique value used to identify a trustee. It is used to identify users on the Windows machine.
- Account Name: the SID is resolved to show the name of the account that initiated the creation of the new process.
- Account Domain: the domain the computer belongs to.
- Logon ID: a unique hexadecimal value that is used to identify the user’s logon session. It can be used to correlate events that contain the same event ID.
- Target Subject: this field provides information about the user account the process is running under. The subject mentioned in the process creation event may, in some circumstances, be distinct from the subject mentioned in the process termination event. So, when the creator and the target do not have the same logon, it is important to include the target subject even though they both reference the same process ID. The subfields are the same as that of the creator subject above.
- Process Information: this field provides detailed information about the created process. It includes several subfields, including:
- New Process ID (PID): a unique hexadecimal value assigned to the new process. The Windows operating system uses it to keep track of active processes.
- New Process Name: the full path and name of the executable file that was launched to create the new process.
- Token Evaluation Type: token evaluation is a security mechanism employed by Windows to determine if a user account is authorized to perform a particular action. The type of token a process will use to request elevated privileges is called the “token evaluation type.” There are three possible values for this field. Type 1 (%%1936) denotes that the process is using the default user token and hasn’t requested any special permissions. For this field, it is the most common value. Type 2 (%%1937) denotes that the process requested full administrator privileges to run and was successful in obtaining them. When a user runs an application or process as administrator, it is enabled. Type 3 (%%1938) denotes that the process only received the rights required to carry out the requested action, even though it requested elevated privileges.
- Mandatory Label: an integrity label assigned to the process.
- Creator Process ID: a unique hexadecimal value assigned to the process that initiated the new process.
- Creator Process Name: full path and name of the process that created the new process.
- Process Command Line: provides details about the arguments passed into the command to initiate the new process. It includes several subfields including the current directory and hashes.
Conclusion
When analyzing a process, it is vital to determine if it is legitimate or malicious. A legitimate process can easily be identified by looking at the creator subject and process information fields. Process ID can be used to identify anomalies, such as a new process being spawned from an unusual parent process. The command line can also be used to verify the legitimacy of a process. For example, a process with arguments that includes a file path to sensitive data may indicate malicious intent. The Creator Subject field can be used to determine if the user account is associated with suspicious activity or has elevated privileges.
Furthermore, it is important to correlate event ID 4688 with other relevant events in the system to gain context about the newly created process. Event ID 4688 can be correlated with 5156 to determine if the new process is associated with any network connections. If the new process is associated with a newly installed service, event 4697 (service install) can be correlated with 4688 to provide additional information. Event ID 5140 (file creation) can also be used to identify any new files created by the new process.
In conclusion, understanding the context of the system is to determine the potential impact of the process. A process initiated on a critical server is likely to have a greater impact than one launched on a standalone machine. Context helps direct the investigation, prioritize response and manage resources. By analyzing the different fields in the event log and performing correlation with other events, anomalous processes can be traced to their origin and the cause determined.
