security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/process_creation/proc_creation_win_susp_hostname.yml
T
frack113 8bb3379b68 Normalization of rule names
2022-02-22 11:16:31 +01:00

23 lines
664 B
YAML
Raw Blame History

title: Suspicious Execution of Hostname
id: 7be5fb68-f9ef-476d-8b51-0256ebece19e
status: experimental
description: Use of hostname to get information
author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname
date: 2022/01/01
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: \HOSTNAME.EXE
condition: selection
falsepositives:
- Unknown
level: low
tags:
- attack.discovery
- attack.t1082
Reference in New Issue View Git Blame Copy Permalink