diff --git a/rta/hosts_file_modify.py b/rta/hosts_file_modify.py new file mode 100644 index 000000000..79fb121bd --- /dev/null +++ b/rta/hosts_file_modify.py @@ -0,0 +1,54 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License; +# you may not use this file except in compliance with the Elastic License. + +# Name: Hosts File Modified +# RTA: hosts_file_modify.py +# ATT&CK: T1492 +# Description: Modifies the hosts file + +import os +import random +import time + +from string import ascii_letters + +from . import common + + +def main(): + hosts_files = { + common.WINDOWS: "C:\\Windows\\system32\\drivers\\etc\\hosts", + common.LINUX: "/etc/hosts", + common.MACOS: "/private/etc/hosts" + } + hosts_file = hosts_files[common.CURRENT_OS] + + backup = os.path.abspath(hosts_file + '_backup') + common.log("Backing up original 'hosts' file.") + common.copy_file(hosts_file, backup) + + # add randomness for diffs for FIM module + randomness = ''.join(random.sample(ascii_letters, 10)) + entry = [ + '', + '# RTA hosts_modify was here', + '# 8.8.8.8 https://www.{random}.google.com'.format(random=randomness) + ] + with open(hosts_file, 'a') as f: + f.write('\n'.join(entry)) + + common.log('Updated hosts file') + with open(hosts_file, 'r') as f: + common.log(f.read()) + + time.sleep(2) + + # cleanup + common.log("Restoring hosts from backup copy.") + common.copy_file(backup, hosts_file) + os.remove(backup) + + +if __name__ == "__main__": + exit(main()) diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml new file mode 100644 index 000000000..adf029f66 --- /dev/null +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -0,0 +1,43 @@ +[metadata] +creation_date = "2020/07/07" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/07/07" + +[rule] +author = ["Elastic"] +description = """ +The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first +point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic +to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or +RHEL) and macOS systems. +""" +index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License" +name = "Hosts File Modified" +note = "For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml." +references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"] +risk_score = 47 +rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c" +severity = "medium" +tags = ["Elastic", "Linux", "Windows", "macOS"] +type = "query" + +query = ''' +event.category:file and event.type:(change or creation) and file.path:("/private/etc/hosts" or "/etc/hosts" or "C:\Windows\System32\drivers\etc\hosts") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1492" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1492/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/"