Steps to enable auditing using the Group Policy Management Console (GPMC):
Perform the following actions on the domain controller (DC):
- Press Start, search for, and open the Group Policy Management Console or run the command gpmc.msc.
- Right-click the domain or organizational unit (OU) that you want to audit, and click Create a GPO in this domain, and Link it here. If you have already created a Group Policy Object (GPO), go to step 4.
- Name the GPO as appropriate.
- Right-click the GPO and choose Edit.
- In the Group Policy Management Editor, in the left pane, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Detailed Tracking.
- In the right pane, you will see a list of policies that are under Detailed Tracking. Double-click Audit Process Creation and check the boxes labeled Configure the following audit events, Success, and Failure. Perform the same actions for Audit Process Termination.
- Click Apply, then OK.
- Go back to the Group Policy Management Console, and in the left pane, right-click the desired OU in which the GPO was linked and click Group Policy Update. This step makes sure the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.
Once this policy is enabled, events are logged in the DC's security log whenever a process has been created or has exited.
Steps to view these events using the Event Viewer:
Once the above steps are complete, events will be stored in the event log. This can be viewed in the Event Viewer by following the steps below:
- Press Start, search for Event Viewer, and click to open it.
- In the Event Viewer window, in the left pane, navigate to Windows Logs → Security.
- Here, you will find a list of all the security events that are logged in the system.
- In the right pane, under Security, click Filter Current Log.
- In the pop-up window, enter the desired Event ID* in the field labeled <All Event IDs>.
*The following Event IDs are generated for the given events:
||Audit Process Creation
||A new process has been created.
||Audit Process Creation
||A primary token was assigned to process.
||Audit Process Termination
||A process has exited.
- Click OK. This will provide a list of occurrences of the entered Event ID.
- Double-click the Event ID to view its properties (description).
Event 4688 is logged when a process is created. The following details are logged in the event properties:
- Name and SID of the account that requested the "create process" operation
- Process ID, full path, and name of the new process created
The above method is unrealistic when you have to deal with thousands of devices in an organization, as an administrator would have to manually look up each event to view its details.
ADAudit Plus, a comprehensive AD auditing tool, enables admins to effortlessly audit process creation and termination events. They can also keep track of all scheduled task creation, deletion, and modifications made to them with ease.
Steps to audit process tracking using ManageEngine ADAudit Plus
- Download and install ADAudit Plus.
- Find the steps to configure auditing on your domain controller here.
- Open the console and log in as administrator.
- Navigate to Server Audit → Process Tracking → New Process Created
You can also keep track of process termination. Navigate to Server Audit → Process Tracking → New Process Exited.
Advantages of using ADAudit Plus over native auditing:
- Get instant, informative reports on process creation and termination instead of manually searching for an Event ID.
- Monitor all programs that are executed, and discover who started the process, which computer the program was launched on, the time the process was started, and much more.
- Track in detail all scheduled tasks set by users in your organization.
- Get curated reports for all changes made to your Active Directory in one centralized platform.
- More easily satisfy compliance regulations including SOX, HIPAA, GLBA, PCI-DSS, FISMA, and GDPR.