heroui logo

Suspicious Execution of Hostname

Sigma Rules

View Source
Summary
This rule aims to detect potential suspicious executions related to hostname discovery in Windows environments using the process creation log source. It specifically targets the execution of processes that end with `HOSTNAME.EXE`, a commonly used command to obtain the hostname information of the system. The significance of monitoring this executable is rooted in its potential use in reconnoitering activities within an environment. When agents or intruders execute the command, they may seek to gather tactical data that could assist in planning further actions. The detection condition relies on an exact match of the command, which minimizes false positives, but may still lead to legitimate hostname requests. Therefore, understanding the operational context of the discovery method is crucial. The test status indicates it's still under evaluation, thus any deployment should consider the low-level risk associated, ensuring that the necessary analysis is present before action is taken.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
ATT&CK Techniques
  • T1082
Created: 2022-01-01