rta/hosts_file_modify.py

# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.

# Name: Hosts File Modified
# RTA: hosts_file_modify.py
# ATT&CK: T1492
# Description: Modifies the hosts file

import os
import random
import time
from pathlib import Path
from string import ascii_letters

from . import RtaMetadata, common

metadata = RtaMetadata(
    uuid="f24491d0-720b-4150-a2a1-45b5b07238aa",
    platforms=["windows", "linux", "macos"],
    endpoint=[],
    siem=[{"rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", "rule_name": "Hosts File Modified"}],
    techniques=["T1565"],
)


def main():
    hosts_files = {
        common.WINDOWS: "C:\\Windows\\system32\\drivers\\etc\\hosts",
        common.LINUX: "/etc/hosts",
        common.MACOS: "/private/etc/hosts",
    }
    hosts_file = hosts_files[common.CURRENT_OS]

    backup = Path(hosts_file + "_backup").resolve()
    common.log("Backing up original 'hosts' file.")
    common.copy_file(hosts_file, backup)

    # add randomness for diffs for FIM module
    randomness = "".join(random.sample(ascii_letters, 10))
    entry = [
        "",
        "# RTA hosts_modify was here",
        "# 8.8.8.8 https://www.{random}.google.com".format(random=randomness),
    ]
    with open(hosts_file, "a") as f:
        f.write("\n".join(entry))

    common.log("Updated hosts file")
    with open(hosts_file, "r") as f:
        common.log(f.read())

    time.sleep(2)

    # cleanup
    common.log("Restoring hosts from backup copy.")
    common.copy_file(backup, hosts_file)
    os.remove(backup)


if __name__ == "__main__":
    exit(main())
[New Rule] Hosts File Modified (#25 ) 2020-09-30 18:24:07 -05:00			`# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00			`# or more contributor license agreements. Licensed under the Elastic License`
			`# 2.0; you may not use this file except in compliance with the Elastic License`
			`# 2.0.`
[New Rule] Hosts File Modified (#25 ) 2020-09-30 18:24:07 -05:00
			`# Name: Hosts File Modified`
			`# RTA: hosts_file_modify.py`
			`# ATT&CK: T1492`
			`# Description: Modifies the hosts file`

			`import os`
			`import random`
			`import time`
[Bug] Updated os.path calls to pathlib (#3110 ) 2023-09-28 16:32:55 -04:00			`from pathlib import Path`
[New Rule] Hosts File Modified (#25 ) 2020-09-30 18:24:07 -05:00			`from string import ascii_letters`

[Bug] Updated os.path calls to pathlib (#3110 ) 2023-09-28 16:32:55 -04:00			`from . import RtaMetadata, common`
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00
			`metadata = RtaMetadata(`
			`uuid="f24491d0-720b-4150-a2a1-45b5b07238aa",`
			`platforms=["windows", "linux", "macos"],`
			`endpoint=[],`
			`siem=[{"rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", "rule_name": "Hosts File Modified"}],`
			`techniques=["T1565"],`
			`)`
[New Rule] Hosts File Modified (#25 ) 2020-09-30 18:24:07 -05:00

			`def main():`
			`hosts_files = {`
			`common.WINDOWS: "C:\\Windows\\system32\\drivers\\etc\\hosts",`
			`common.LINUX: "/etc/hosts",`
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00			`common.MACOS: "/private/etc/hosts",`
[New Rule] Hosts File Modified (#25 ) 2020-09-30 18:24:07 -05:00			`}`
			`hosts_file = hosts_files[common.CURRENT_OS]`

[Bug] Updated os.path calls to pathlib (#3110 ) 2023-09-28 16:32:55 -04:00			`backup = Path(hosts_file + "_backup").resolve()`
[New Rule] Hosts File Modified (#25 ) 2020-09-30 18:24:07 -05:00			`common.log("Backing up original 'hosts' file.")`
			`common.copy_file(hosts_file, backup)`

			`# add randomness for diffs for FIM module`
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00			`randomness = "".join(random.sample(ascii_letters, 10))`
[New Rule] Hosts File Modified (#25 ) 2020-09-30 18:24:07 -05:00			`entry = [`
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00			`"",`
			`"# RTA hosts_modify was here",`
			`"# 8.8.8.8 https://www.{random}.google.com".format(random=randomness),`
[New Rule] Hosts File Modified (#25 ) 2020-09-30 18:24:07 -05:00			`]`
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00			`with open(hosts_file, "a") as f:`
			`f.write("\n".join(entry))`
[New Rule] Hosts File Modified (#25 ) 2020-09-30 18:24:07 -05:00
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00			`common.log("Updated hosts file")`
			`with open(hosts_file, "r") as f:`
[New Rule] Hosts File Modified (#25 ) 2020-09-30 18:24:07 -05:00			`common.log(f.read())`

			`time.sleep(2)`

			`# cleanup`
			`common.log("Restoring hosts from backup copy.")`
			`common.copy_file(backup, hosts_file)`
			`os.remove(backup)`


			`if __name__ == "__main__":`
			`exit(main())`