Security Thoughts: Include command line in process creation events

Windows 8.1 and Windows Server 2012 R2 introduced an awesome new feature, called Include command line in process creation events, a Group Policy setting that expands the Audit Process Creation policy so events in Event Viewer (eventvwr.msc) include the actual commands issued.

Last week, Microsoft introduced an update to Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012 to introduce the same feature to these older Windows and Windows Server versions.

It’s as good as any reason to look into it. Knipogende emoticon

 

The situation

In many Microsoft-centered networking infrastructure environment, it is hard to troubleshoot, monitor and/or investigate security-related issues.

Audit process creation

In many of these cases, the Audit Process Creation Group Policy setting (in Computer Configuration, Policies, Windows Settings, Security Settings, Advanced Audit Configuration, Detailed Tracking is enabled for specific systems (It is not enabled by default):

Enabling the Audit Process Creation Group Policy setting (click for original screenshot)

This setting determines whether the Operating System generates audit events when a process is created.  Event-IDs 4688 are generated and logged in the Windows Security log.

 

What’s new

Now, after you apply KB3004375 to Windows 7, Windows 8, Windows Server 2008 R2 and/or Windows Server 2012, you see a new Group Policy setting in Computer Configuration, Policies, Administrative Templates, System, Audit Process Creation, named Include command line in process creation events:

The Include command line in process creation events Group Policy setting (click for original screenshot)

When you enable this setting, the events in Event Viewer (eventvwr.msc) get expanded with the Process Command Line: information. The two screenshots below, made on a Windows Server 2012 R2 installation, show two events in Event Viewer with Event ID 4688. The left event was logged before the Include command line in process creation events Group Policy setting was enabled. The screenshot on the right shows the event with the setting enabled:

EventID 4688 before enabling the Include command line in process creation events Group Policy Setting (click for original screenshot) EventID 4688 after enabling the Include command line in process creation events Group Policy Setting (click for original screenshot)

 

Concluding

Command line auditing can be a super useful tool for troubleshooting, monitoring and/or investigating security-related issues. It might be the missing piece of the puzzle on your Windows 7, Windows 8, Windows Server 2008 R2 and/or Windows Server 2012 installations. If it is, don’t hesitate to roll out KB3004375 (after testing).

Running Windows 8.1 and Windows Server 2012 R2 and in need for some command line auditing intelligence? Simply enable it.

Related Knowledgebase articles

3004375 Microsoft security advisory: Update to improve Windows command-line auditing: February 10, 2015

Further reading

Audit Process Creation
Security Auditing
Advanced Security Audit Policy Step-by-Step Guide
Best Practices for Securing Active Directory
How to Create an Audit Plan
Best Practices in Internal Audit
WinSecWiki – Process Creation

leave your comment