{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/hosts-file/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["hosts-file","dns-redirection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis analytic focuses on detecting unauthorized attempts to access the Windows hosts file, a critical component for network configuration and DNS resolution. Attackers frequently target this file to manipulate DNS resolution, redirecting users to malicious websites, serving fake content, or blocking access to legitimate security resources. The detection mechanism relies on monitoring Windows Event Log Security (event code 4663) for file access events targeting the hosts file, typically located at \u003ccode\u003eC:\\Windows\\System32\\drivers\\etc\\hosts\u003c/code\u003e. It excludes commonly used processes such as explorer.exe, lsass.exe, SearchIndexer.exe, services.exe, svchost.exe to reduce false positives. This detection is crucial because unauthorized modification of the hosts file can lead to severe security breaches, including phishing attacks and data theft.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through a vulnerability, compromised credentials, or social engineering. (T1189)\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to obtain the necessary permissions to modify the hosts file. (T1068)\u003c/li\u003e\n\u003cli\u003eThe attacker uses a script or tool to access the hosts file located at \u003ccode\u003eC:\\Windows\\System32\\drivers\\etc\\hosts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the hosts file to redirect legitimate domain names to malicious IP addresses controlled by the attacker. (T1012)\u003c/li\u003e\n\u003cli\u003eWhen a user attempts to access a legitimate website, the modified hosts file redirects the request to the attacker's server.\u003c/li\u003e\n\u003cli\u003eThe attacker's server serves malicious content, such as a phishing page or malware, to the unsuspecting user.\u003c/li\u003e\n\u003cli\u003eThe user unknowingly provides sensitive information or downloads malware, leading to further compromise of the system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which may include stealing credentials, gaining unauthorized access to sensitive data, or establishing a persistent foothold on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the hosts file allows attackers to redirect network traffic, leading to phishing attacks, malware distribution, and denial of service. Victims may unknowingly visit malicious websites, providing attackers with sensitive information like credentials or financial data. This attack can affect any user on the compromised system and can spread to other systems if the attacker uses the compromised system as a launching point. Depending on the level of access, the impact can range from individual data theft to widespread corporate network compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026quot;Audit Object Access\u0026quot; in Group Policy and track event code 4663 in the Windows Security Event logs, as described in the \u0026quot;how_to_implement\u0026quot; section. This is critical for visibility into hosts file access attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Suspicious Hosts File Access\u0026quot; to your SIEM to identify unauthorized access attempts to the hosts file.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026quot;Detect Suspicious Hosts File Access\u0026quot; and correlate with other security events to determine the scope and impact of the attack.\u003c/li\u003e\n\u003cli\u003ePeriodically review and update the exclusion list in the Sigma rule \u0026quot;Detect Suspicious Hosts File Access\u0026quot; to account for legitimate software that may access the hosts file.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-hosts-file-access/","summary":"This analytic detects processes attempting to access the Windows hosts file, enabling attackers to redirect traffic to malicious sites or block legitimate security websites by modifying DNS resolution.","title":"Detection of Unauthorized Windows Hosts File Access","url":"https://feed.craftedsignal.io/briefs/2024-01-03-hosts-file-access/"}],"language":"en","title":"CraftedSignal Threat Feed - Hosts-File","version":"https://jsonfeed.org/version/1.1"}