Hosts File Modified

Last updated 5 days ago on 2026-01-29

Created 6 years ago on 2020-07-07

About

The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.

Tags

Domain: EndpointOS: LinuxOS: WindowsOS: macOSUse Case: Threat DetectionTactic: ImpactData Source: Elastic DefendLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Impact (TA0040)(external, opens in a new tab or window)

↳ Data Manipulation (T1565)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

auditbeat-*winlogbeat-*logs-endpoint.events.*logs-windows.*

Related Integrations

endpoint(external, opens in a new tab or window)

windows(external, opens in a new tab or window)

Query

✄𐘗text code block:
✄𐘗any where process.executable != null and

  /* file events for creation; file change events are not captured by some of the included sources for linux and so may
     miss this, which is the purpose of the process + command line args logic below */
  (
   event.category == "file" and event.type in ("change", "creation") and event.action != "rename" and
     file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") and 
     not process.name in ("dockerd", "rootlesskit", "podman", "crio") and
     not process.executable : ("C:\\Program Files\\Fortinet\\FortiClient\\FCDBLog.exe",
                               "C:\\Program Files\\Fortinet\\FortiClient\\FortiWF.exe",
                               "C:\\Program Files\\Fortinet\\FortiClient\\fmon.exe",
                               "C:\\Program Files\\Seqrite\\Seqrite\\SCANNER.EXE",
                               "C:\\Windows\\System32\\SearchProtocolHost.exe",
                               "C:\\Windows\\Temp\\*.ins\\inst.exe",
                               "C:\\Windows\\System32\\svchost.exe",
                               "C:\\Program Files\\NordVPN\\nordvpn-service.exe",
                               "C:\\Program Files\\Tailscale\\tailscaled.exe",
                               "C:\\Program Files\\Docker\\Docker\\com.docker.service",
                               "C:\\Program Files\\Docker\\Docker\\InstallerCli.exe",
                               "C:\\Program Files\\Quick Heal\\Quick Heal AntiVirus Pro\\scanner.exe",
                               "C:\\Program Files (x86)\\Quick Heal AntiVirus Pro\\SCANNER.EXE",
                               "C:\\Program Files\\Quick Heal\\Quick Heal Internet Security\\scanner.exe",
                               "C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnagent.exe",
                               "/opt/IBM/InformationServer/Server/DSEngine/bin/uvsh",
                               "/usr/local/demisto/server", 
                               "/usr/local/bin/defender")
  )
  or

  /* process events for change targeting linux only */
  (
   event.category == "process" and event.type in ("start") and
     process.name in ("nano", "vim", "vi", "emacs", "echo", "sed") and
     (process.args : ("/etc/hosts") or (process.working_directory == "/etc" and process.args == "hosts")) and 
     not process.parent.name in ("dhclient-script", "google_set_hostname") and
     not process.command_line == "sed -i /Added by Google/d /etc/hosts"
  )

Install detection rules in Elastic Security

Detect Hosts File Modified in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).