menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right 001-从日志中取证 chevron_right 001-Audit Process Creation (592_4688).md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    001-Audit Process Creation (592_4688).md
    866 B / 2021-07-17 00:01:42
        ### Audit Process Creation (592/4688)

在启用了"审核进程创建"时记录4688的情况下(系统默认是关闭的,需要手动开启),`Windows 7`、`Windows Server 2008`及以上版本,会在每次创建一个进程时会把事件以`Event ID`为`4688`记录到windows安全日志中

**注**:`Windows XP/2003`的`Event ID`为`592`

开启:`Edit Default Domain Policy -> Policy location: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Configuration -> Detailed Tracking`

策略名称: `Audit Process Creation`

![](images/security_wiki/15906445998664.png)


查看ID为`4688`的安全事件:

![](images/security_wiki/15906446075400.png)


命令行获取:

```bash
wevtutil qe security /rd:true /f:text /q:"Event[System[(EventID=4688)]]"

```

![](images/security_wiki/15906446167998.png)
    links
    file_download