splApache-2.0from splunk/security_content
Windows Hosts File Access
This Analytic detects the execution of a process attempting to access the hosts file. The hosts file is a critical file for network configuration and DNS resolution. If an attacker gains access to it, they can redirect traffic to malicious websites, serve fake content or block legitimate security websites.
Quality
3
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_hosts_file_access.yml
`wineventlog_security`
EventCode=4663
object_file_path="*:\\Windows\\System32\\drivers\\etc\\hosts"
NOT process_path IN (
"*:\\Windows\\explorer.exe",
"*:\\Windows\\System32\\lsass.exe",
"*:\\Windows\\System32\\SearchIndexer.exe",
"*:\\Windows\\System32\\services.exe",
"*:\\Windows\\System32\\svchost.exe",
"*:\\Windows\\SysWow64\\SearchIndexer.exe",
"*:\\Windows\\SysWow64\\svchost.exe"
)
| stats count
by _time object_file_path object_file_name dest process_name
process_path process_id EventCode
| eval process_path = lower(process_path)
| lookup browser_process_and_path browser_process_path as process_path OUTPUT is_valid_browser_path
| eval is_valid_browser_path=coalesce(is_valid_browser_path,"false")
| where is_valid_browser_path = "false"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_hosts_file_access_filter`