diff --git a/src/detections/security.rs b/src/detections/security.rs
index 7818e7c2..44ce23ae 100644
--- a/src/detections/security.rs
+++ b/src/detections/security.rs
@@ -1,3 +1,4 @@
+use crate::detections::utils;
 use crate::models::event;
 use std::collections::HashMap;
 
@@ -114,12 +115,16 @@ impl Security {
         return Option::Some(v);
     }
 
-    fn process_created(&mut self, event_id: &String, _event_data: &HashMap<String, String>) {
+    fn process_created(&mut self, event_id: &String, event_data: &HashMap<String, String>) {
         if event_id != "4688" {
             return;
         }
-        // TODO Check-Commnad
-        return;
+
+        let commandline = event_data.get("CommandLine").unwrap_or(&self.empty_str);
+        let creator = event_data
+            .get("ParentProcessName")
+            .unwrap_or(&self.empty_str);
+        utils::check_command(4688, &commandline, 1000, 0, &self.empty_str, &creator);
     }
 
     //