<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Hosts-File - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/hosts-file/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/hosts-file/feed.xml" rel="self" type="application/rss+xml"/><item><title>Detection of Unauthorized Windows Hosts File Access</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-hosts-file-access/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-hosts-file-access/</guid><description>This analytic detects processes attempting to access the Windows hosts file, enabling attackers to redirect traffic to malicious sites or block legitimate security websites by modifying DNS resolution.</description><content:encoded><![CDATA[<p>This analytic focuses on detecting unauthorized attempts to access the Windows hosts file, a critical component for network configuration and DNS resolution. Attackers frequently target this file to manipulate DNS resolution, redirecting users to malicious websites, serving fake content, or blocking access to legitimate security resources. The detection mechanism relies on monitoring Windows Event Log Security (event code 4663) for file access events targeting the hosts file, typically located at <code>C:\Windows\System32\drivers\etc\hosts</code>. It excludes commonly used processes such as explorer.exe, lsass.exe, SearchIndexer.exe, services.exe, svchost.exe to reduce false positives. This detection is crucial because unauthorized modification of the hosts file can lead to severe security breaches, including phishing attacks and data theft.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to the system through a vulnerability, compromised credentials, or social engineering. (T1189)</li>
<li>The attacker elevates privileges to obtain the necessary permissions to modify the hosts file. (T1068)</li>
<li>The attacker uses a script or tool to access the hosts file located at <code>C:\Windows\System32\drivers\etc\hosts</code>.</li>
<li>The attacker modifies the hosts file to redirect legitimate domain names to malicious IP addresses controlled by the attacker. (T1012)</li>
<li>When a user attempts to access a legitimate website, the modified hosts file redirects the request to the attacker's server.</li>
<li>The attacker's server serves malicious content, such as a phishing page or malware, to the unsuspecting user.</li>
<li>The user unknowingly provides sensitive information or downloads malware, leading to further compromise of the system.</li>
<li>The attacker achieves their objective, which may include stealing credentials, gaining unauthorized access to sensitive data, or establishing a persistent foothold on the compromised system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful modification of the hosts file allows attackers to redirect network traffic, leading to phishing attacks, malware distribution, and denial of service. Victims may unknowingly visit malicious websites, providing attackers with sensitive information like credentials or financial data. This attack can affect any user on the compromised system and can spread to other systems if the attacker uses the compromised system as a launching point. Depending on the level of access, the impact can range from individual data theft to widespread corporate network compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable &quot;Audit Object Access&quot; in Group Policy and track event code 4663 in the Windows Security Event logs, as described in the &quot;how_to_implement&quot; section. This is critical for visibility into hosts file access attempts.</li>
<li>Deploy the Sigma rule &quot;Detect Suspicious Hosts File Access&quot; to your SIEM to identify unauthorized access attempts to the hosts file.</li>
<li>Investigate any alerts generated by the Sigma rule &quot;Detect Suspicious Hosts File Access&quot; and correlate with other security events to determine the scope and impact of the attack.</li>
<li>Periodically review and update the exclusion list in the Sigma rule &quot;Detect Suspicious Hosts File Access&quot; to account for legitimate software that may access the hosts file.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>hosts-file</category><category>dns-redirection</category><category>windows</category></item></channel></rss>