HomeSupercharger KBHow ToHow to Find Frequently Ran EXEs Causing Event ID 4688 Noise

5.1. How to Find Frequently Ran EXEs Causing Event ID 4688 Noise

Event ID 4688 is valuable because it allows us to track EXEs running on our endpoints and even detect unrecognized programs such as those in WannaCry. But 4688 is noisy. Supercharger includes noise filters for the most common EXEs executed by the system (Logon ID 0x3e7) but you can cut down the noise even more in your environment by analyzing 4688s. Here are some Log Parser scripts to help you do that

logparser "select EXTRACT_TOKEN(Strings,5,'|') AS Program, count(*) from security where EventID=4688 group by program order by count(*) desc" -o:tsv > CountsByProgram.txt

logparser "select EXTRACT_TOKEN(Strings,5,'|') AS Program, EXTRACT_TOKEN(Strings,3,'|') AS logonId, count(*) from security where EventID=4688 and logonid='0x3e7' group by program, logonid order by count(*) desc" -o:tsv > ProgramsRanBySystem.txt

logparser "select EXTRACT_TOKEN(Strings,5,'|') AS Program, EXTRACT_TOKEN(Strings,1,'|') AS theuser, count(*) from security where EventID=4688  group by program, theuser  order by count(*) desc" -o:tsv > ProgramsByUser.txt

 Each command creates a tab delimited file you can view in Excel.

Here a link to a video about putting this information to work.

This page was: Helpful | Not Helpful