2022-07-11 17:48:40 +01:00
|
|
|
title: Suspicious Execution of Hostname
|
2022-01-01 08:42:40 +01:00
|
|
|
id: 7be5fb68-f9ef-476d-8b51-0256ebece19e
|
2023-01-27 06:48:34 +01:00
|
|
|
status: test
|
2022-01-01 08:42:40 +01:00
|
|
|
description: Use of hostname to get information
|
|
|
|
|
references:
|
2022-07-11 17:48:40 +01:00
|
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows
|
2024-07-02 06:00:11 -04:00
|
|
|
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname
|
2022-10-28 15:06:36 +02:00
|
|
|
author: frack113
|
2024-08-12 12:02:50 +02:00
|
|
|
date: 2022-01-01
|
2022-10-28 15:06:36 +02:00
|
|
|
tags:
|
|
|
|
|
- attack.discovery
|
|
|
|
|
- attack.t1082
|
2022-01-01 08:42:40 +01:00
|
|
|
logsource:
|
|
|
|
|
category: process_creation
|
|
|
|
|
product: windows
|
|
|
|
|
detection:
|
|
|
|
|
selection:
|
2022-09-01 15:22:26 +02:00
|
|
|
Image|endswith: '\HOSTNAME.EXE'
|
2022-01-01 08:42:40 +01:00
|
|
|
condition: selection
|
|
|
|
|
falsepositives:
|
|
|
|
|
- Unknown
|
|
|
|
|
level: low
|
