Name:Windows hosts file modification id:06a6fc63-a72d-41dc-8736-7e3dd9612116 version:3 date:2024-10-17 author:Rico Valdez, Splunk status:deprecated type:TTP Description:The search looks for modifications to the hosts file on all Windows endpoints across your environment. Data_source:
-Sysmon EventID 11
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.file_path Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | search Filesystem.file_name=hosts AND Filesystem.file_path=*Windows\\System32\\* | `drop_dm_object_name(Filesystem)` | `windows_hosts_file_modification_filter`
how_to_implement:To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. known_false_positives:There may be legitimate reasons for system administrators to add entries to this file. References: drilldown_searches:
: tags: analytic_story: - 'Host Redirection' asset_type:Endpoint confidence:50 impact:50 message:tbd observable: name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' risk_score:25 security_domain:endpoint
