Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine has "hostname.exe" or FileName == "hostname.exe" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

DeviceProcessEvents | where ProcessCommandLine has 'hostname' | extend cleanCommandLine = trim('"', ProcessCommandLine) | where cleanCommandLine == 'hostname' or cleanCommandLine == 'cmd.exe /c hostname' or cleanCommandLine == 'powershell -command "hostname"' | project DeviceName, AccountName, ProcessCommandLine, ProcessCreationTime

DeviceProcessEvents | where tolower(FileName) == "hostname.exe" or (tolower(FileName) == "cmd.exe" and ProcessCommandLine matches regex @"hostname(\s|$)") or (tolower(FileName) == "powershell.exe" and ProcessCommandLine matches regex @"hostname(\s|$)") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine

DeviceProcessEvents | where ProcessCommandLine contains 'hostname' or ProcessCommandLine contains 'ipconfig /all' or ProcessCommandLine contains 'systeminfo' | project TimeGenerated, DeviceName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId | order by TimeGenerated desc | take 50

DeviceProcessEvents | where InitiatingProcessCommandLine contains "hostname" | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, ProcessId, InitiatingProcessFileName

let HostnameCmd = (s:string) { case( s matches regex @"(?i)(^|[\s'""`;&|])hostname(\.exe)?([\s/]|$)", "hostname", s matches regex @"(?i)(^|[\s'""`;&|])ipconfig(\.exe)?(\s+/all)?([\s]|$)", "ipconfig (/all optional)", s matches regex @"(?i)(^|[\s'""`;&|])systeminfo(\.exe)?([\s]|$)", "systeminfo", s matches regex @"(?i)(^|[\s'""`;&|])nbtstat(\.exe)?(\s+-n)?([\s]|$)", "nbtstat (-n optional)", s matches regex @"(?i)(^|[\s'""`;&|])wmic(\.exe)?\s+computersystem\s+get\s+name\b", "wmic computersystem get name", s matches regex @"(?i)(^|[\s'""`;&|])net(\.exe)?\s+config\s+workstation\b", "net config workstation", s matches regex @"(?i)\becho\s+%computername%\b", "echo %COMPUTERNAME%", s matches regex @"(?i)\$env:\s*computername\b", "PowerShell $env:COMPUTERNAME", s matches regex @"(?i)\b(get-item|gi)\s+env:computername\b", "PowerShell Get-Item env:COMPUTERNAME", s matches regex @"(?i)\b(get-childitem|gci)\s+env:computername\b", "PowerShell Get-ChildItem env:COMPUTERNAME", s matches regex @"(?i)\bget-wmiobject\s+win32_computersystem\b", "PowerShell Get-WmiObject Win32_ComputerSystem", s matches regex @"(?i)\bget-ciminstance\s+win32_computersystem\b", "PowerShell Get-CimInstance Win32_ComputerSystem", s matches regex @"(?i)\bget-computerinfo\b", "PowerShell Get-ComputerInfo", s matches regex @"(?i)\[system\.net\.dns\]::gethostname\(\)", ".NET [System.Net.Dns]::GetHostName()", s matches regex @"(?i)\[environment\]::machinename\b", ".NET [Environment]::MachineName", "" ) }; DeviceProcessEvents | where ActionType == "ProcessCreated" | extend BuiltInHostnameCommand = HostnameCmd(tostring(ProcessCommandLine)) | where BuiltInHostnameCommand != "" | extend Interpreter = case( tolower(FileName) in ("cmd.exe", "powershell.exe", "pwsh.exe"), FileName, tolower(FileName) in ("wmic.exe", "hostname.exe", "ipconfig.exe", "systeminfo.exe", "nbtstat.exe", "net.exe"), FileName, FileName ) | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, Interpreter, BuiltInHostnameCommand, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

let startTime = ago(30d); // adjust time range outside or remove if caller will set time range let cmd_events = ( union isfuzzy=true DeviceProcessEvents, DeviceEvents | where TimeGenerated >= startTime | extend raw_cmd = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, FileName, "")) | where isnotempty(raw_cmd) | extend cmd = tolower(raw_cmd) // common hostname discovery patterns | where cmd matches regex @"\bhostname\b" or cmd contains "%computername%" or cmd contains "$env:computername" or cmd matches regex @"\bwmic\s+(computersystem|csproduct)\s+get\b" or cmd contains "systeminfo" or cmd contains "get-ciminstance" or cmd contains "get-wmiobject" or cmd contains "get-computerinfo" or cmd contains "gwmi" or cmd contains "get-computer" // reduce noise: prefer typical launchers (optional) | extend fn = tolower(FileName), ipfn = tolower(InitiatingProcessFileName) | where fn endswith "cmd.exe" or fn endswith "powershell.exe" or fn endswith "pwsh.exe" or fn endswith "wmic.exe" or fn endswith "systeminfo.exe" or ipfn endswith "cmd.exe" or ipfn endswith "powershell.exe" or ipfn endswith "pwsh.exe" | extend detected_command = case( cmd matches regex @"\bhostname\b", "hostname", cmd contains "%computername%" or cmd matches regex @"echo\s+%computername%", "echo %COMPUTERNAME%", cmd contains "$env:computername" or cmd matches regex @"echo\s+\$env:computername", "PowerShell $env:COMPUTERNAME", cmd matches regex @"\bwmic\s+(computersystem|csproduct)\s+get\b", "wmic get name", cmd contains "systeminfo", "systeminfo", cmd contains "get-ciminstance" or cmd contains "get-wmiobject" or cmd contains "gwmi" or cmd contains "get-computerinfo" or cmd contains "get-computer", "PowerShell WMI/CIM", "other") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, detected_command, raw_cmd ); // Summary counts cmd_events | summarize Count = count() by detected_command, DeviceName, AccountName | sort by Count desc | limit 100 ; // Recent raw matches cmd_events | sort by TimeGenerated desc | limit 100

DeviceProcessEvents | where TimeGenerated between (startofday(now(-30d)) .. now()) | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) | extend cmd = tolower(coalesce(ProcessCommandLine, InitiatingProcessCommandLine)) | where cmd contains "hostname" or cmd contains "%computername%" or cmd contains "wmic computersystem get name" or cmd contains "systeminfo" or cmd contains "findstr" and cmd contains "host" or cmd contains "get-computername" or cmd contains "get-computerinfo" or cmd contains "get-wmiobject" and cmd contains "computersystem" or cmd matches regex @"\$env:computername" | extend matched = case( cmd contains "hostname", "hostname", cmd contains "%computername%", "echo %COMPUTERNAME%", cmd contains "wmic computersystem get name", "wmic computersystem get name", cmd contains "systeminfo" and cmd contains "host", "systeminfo | findstr", cmd contains "systeminfo", "systeminfo", cmd contains "get-computerinfo", "powershell get-computerinfo", cmd contains "get-computername", "powershell get-computername", cmd contains "get-wmiobject" and cmd contains "computersystem", "powershell get-wmiobject computersystem", cmd matches regex @"\$env:computername", "$env:COMPUTERNAME", "other") | project TimeGenerated, DeviceName, DeviceId, AccountDomain, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessId, FileName, ProcessCommandLine, matched | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Count=count() by DeviceName, DeviceId, AccountDomain, AccountName, InitiatingProcessFileName, matched | order by LastSeen desc | top 100 by LastSeen

let HostPatterns = dynamic(["hostname","echo %computername%","wmic computersystem get name","GetHostName","[System.Net.Dns]::GetHostName()","Get-WmiObject Win32_ComputerSystem","COMPUTERNAME","computername","get-hostname"]); (DeviceProcessEvents | where InitiatingProcessFileName in ("cmd.exe","cmd","powershell.exe","pwsh.exe") | extend cmd_lower = tolower(InitiatingProcessCommandLine) | where cmd_lower contains "hostname" or cmd_lower contains "echo %computername%" or cmd_lower contains "wmic computersystem get name" or cmd_lower contains "gethosthostname" or cmd_lower contains "[system.net.dns]::gethostname()" or cmd_lower contains "get-wmiobject win32_computersystem" or cmd_lower contains "computername" or cmd_lower contains "get-hostname" | extend RevealedCommand = case( cmd_lower contains "hostname", "hostname", cmd_lower contains "echo %computername%", "echo %COMPUTERNAME%", cmd_lower contains "wmic computersystem get name", "wmic computersystem get name", cmd_lower contains "gethosthostname", "GetHostName", cmd_lower contains "[system.net.dns]::gethostname()", "GetHostName", cmd_lower contains "get-hostname", "GetHostName", cmd_lower contains "get-wmiobject win32_computersystem", "Get-WmiObject Win32_ComputerSystem", cmd_lower contains "computername", "COMPUTERNAME", "Other" ) | project TimeGenerated, DeviceName, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessCreationTime, RevealedCommand) | union ( DeviceEvents | where InitiatingProcessFileName in ("cmd.exe","cmd","powershell.exe","pwsh.exe") | extend cmd_lower = tolower(InitiatingProcessCommandLine) | where cmd_lower contains "hostname" or cmd_lower contains "echo %computername%" or cmd_lower contains "wmic computersystem get name" or cmd_lower contains "gethosthostname" or cmd_lower contains "[system.net.dns]::gethostname()" or cmd_lower contains "get-wmiobject win32_computersystem" or cmd_lower contains "computername" or cmd_lower contains "get-hostname" | extend RevealedCommand = case( cmd_lower contains "hostname", "hostname", cmd_lower contains "echo %computername%", "echo %COMPUTERNAME%", cmd_lower contains "wmic computersystem get name", "wmic computersystem get name", cmd_lower contains "gethosthostname", "GetHostName", cmd_lower contains "[system.net.dns]::gethostname()", "GetHostName", cmd_lower contains "get-hostname", "GetHostName", cmd_lower contains "get-wmiobject win32_computersystem", "Get-WmiObject Win32_ComputerSystem", cmd_lower contains "computername", "COMPUTERNAME", "Other" ) | project TimeGenerated, DeviceName, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessCreationTime, RevealedCommand) | sort by TimeGenerated desc | take 200

let StartTime = ago(7d); DeviceProcessEvents | where TimeGenerated between (StartTime .. now()) | extend CmdLine = iif(isnotempty(InitiatingProcessCommandLine), tostring(InitiatingProcessCommandLine), tostring(ProcessCommandLine)) | where tolower(CmdLine) contains "hostname" or (tolower(CmdLine) contains "echo" and tolower(CmdLine) contains "%computername%") | extend HostnameRevealMethod = iif(tolower(CmdLine) contains "hostname", "hostname", "echo %computername%") | project TimeGenerated, DeviceId, DeviceName, CmdLine, HostnameRevealMethod, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCreationTime | summarize Count = count() by HostnameRevealMethod, CmdLine, DeviceName, DeviceId | top 20 by Count

DeviceProcessEvents | where ProcessCommandLine has_cs 'hostname' | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc | limit 50

DeviceProcessEvents | where (FileName == 'hostname.exe') or (ProcessCommandLine contains 'hostname' and (FileName endswith 'cmd.exe' or FileName endswith 'powershell.exe')) | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, FileName | order by TimeGenerated desc | limit 100

DeviceProcessEvents | where ActionType in ("CreateProcess", "ProcessCreated") | where FileName in~ ("hostname.exe", "cmd.exe", "powershell.exe") | where tolower(ProcessCommandLine) has "hostname" | order by TimeGenerated desc | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessAccountDomain, InitiatingProcessAccountName | limit 100

DeviceProcessEvents | where TimeGenerated >= ago(7d) | where ActionType in ("CreateProcess", "ProcessCreated") | where FileName in~ ("hostname.exe", "systeminfo.exe") or (FileName in~ ("cmd.exe", "powershell.exe") and ProcessCommandLine has_any ("hostname", "%computername%", "systeminfo")) | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessId | order by TimeGenerated desc | limit 100

DeviceProcessEvents | where ProcessCommandLine contains "hostname" | where tolower(InitiatingProcessFileName) in ("cmd.exe", "powershell.exe") | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, ProcessId, InitiatingProcessId | top 100 by TimeGenerated desc

DeviceProcessEvents | where InitiatingProcessCommandLine has "hostname" | project TimeGenerated, DeviceName, FileName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | extend lowerCmd = tolower(ProcessCommandLine) | where ( FileName in ("hostname.exe", "systeminfo.exe", "wmic.exe", "net.exe", "cmd.exe") and ( lowerCmd contains "hostname" or lowerCmd contains "systeminfo" or (FileName == "wmic.exe" and lowerCmd contains "computersystem get name") or (FileName == "net.exe" and lowerCmd contains "config workstation") or (FileName == "cmd.exe" and lowerCmd contains "%computername%") ) ) | extend ExecutedCommand = case( lowerCmd contains "hostname", "hostname", lowerCmd contains "systeminfo", "systeminfo", lowerCmd contains "computersystem get name", "wmic computersystem get name", lowerCmd contains "config workstation", "net config workstation", lowerCmd contains "%computername%", "echo %computername%", "other" ) | where ExecutedCommand != "other" | project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, ExecutedCommand, ProcessCommandLine | sort by TimeGenerated desc