[New Rule] Hosts File Modified (#25)
This commit is contained in:
Andrew Pease
@@ -0,0 +1,54 @@
|
||||
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
# or more contributor license agreements. Licensed under the Elastic License;
|
||||
# you may not use this file except in compliance with the Elastic License.
|
||||
|
||||
# Name: Hosts File Modified
|
||||
# RTA: hosts_file_modify.py
|
||||
# ATT&CK: T1492
|
||||
# Description: Modifies the hosts file
|
||||
|
||||
import os
|
||||
import random
|
||||
import time
|
||||
|
||||
from string import ascii_letters
|
||||
|
||||
from . import common
|
||||
|
||||
|
||||
def main():
|
||||
hosts_files = {
|
||||
common.WINDOWS: "C:\\Windows\\system32\\drivers\\etc\\hosts",
|
||||
common.LINUX: "/etc/hosts",
|
||||
common.MACOS: "/private/etc/hosts"
|
||||
}
|
||||
hosts_file = hosts_files[common.CURRENT_OS]
|
||||
|
||||
backup = os.path.abspath(hosts_file + '_backup')
|
||||
common.log("Backing up original 'hosts' file.")
|
||||
common.copy_file(hosts_file, backup)
|
||||
|
||||
# add randomness for diffs for FIM module
|
||||
randomness = ''.join(random.sample(ascii_letters, 10))
|
||||
entry = [
|
||||
'',
|
||||
'# RTA hosts_modify was here',
|
||||
'# 8.8.8.8 https://www.{random}.google.com'.format(random=randomness)
|
||||
]
|
||||
with open(hosts_file, 'a') as f:
|
||||
f.write('\n'.join(entry))
|
||||
|
||||
common.log('Updated hosts file')
|
||||
with open(hosts_file, 'r') as f:
|
||||
common.log(f.read())
|
||||
|
||||
time.sleep(2)
|
||||
|
||||
# cleanup
|
||||
common.log("Restoring hosts from backup copy.")
|
||||
common.copy_file(backup, hosts_file)
|
||||
os.remove(backup)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
exit(main())
|
||||
@@ -0,0 +1,43 @@
|
||||
[metadata]
|
||||
creation_date = "2020/07/07"
|
||||
ecs_version = ["1.6.0"]
|
||||
maturity = "production"
|
||||
updated_date = "2020/07/07"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first
|
||||
point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic
|
||||
to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or
|
||||
RHEL) and macOS systems.
|
||||
"""
|
||||
index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Hosts File Modified"
|
||||
note = "For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml."
|
||||
references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"]
|
||||
risk_score = 47
|
||||
rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Linux", "Windows", "macOS"]
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.category:file and event.type:(change or creation) and file.path:("/private/etc/hosts" or "/etc/hosts" or "C:\Windows\System32\drivers\etc\hosts")
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1492"
|
||||
name = "Stored Data Manipulation"
|
||||
reference = "https://attack.mitre.org/techniques/T1492/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0040"
|
||||
name = "Impact"
|
||||
reference = "https://attack.mitre.org/tactics/TA0040/"
|
||||
Reference in New Issue
Block a user