security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update impact_hosts_file_modified.toml (#5655)

Browse Source
This commit is contained in:
Samirbous
2026-01-29 17:02:14 +00:00
committed by GitHub
parent fa56ae556e
commit efd1756d49
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/impact_hosts_file_modified.toml
+7 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/07"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2025/12/11"
updated_date = "2026/01/29"
[rule]
author = ["Elastic"]
@@ -87,18 +87,23 @@ any where process.executable != null and
file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") and
not process.name in ("dockerd", "rootlesskit", "podman", "crio") and
not process.executable : ("C:\\Program Files\\Fortinet\\FortiClient\\FCDBLog.exe",
"C:\\Program Files\\Fortinet\\FortiClient\\FortiWF.exe",
"C:\\Program Files\\Fortinet\\FortiClient\\fmon.exe",
"C:\\Program Files\\Seqrite\\Seqrite\\SCANNER.EXE",
"C:\\Windows\\System32\\SearchProtocolHost.exe",
"C:\\Windows\\Temp\\*.ins\\inst.exe",
"C:\\Windows\\System32\\svchost.exe",
"C:\\Program Files\\NordVPN\\nordvpn-service.exe",
"C:\\Program Files\\Tailscale\\tailscaled.exe",
"C:\\Program Files\\Docker\\Docker\\com.docker.service",
"C:\\Program Files\\Docker\\Docker\\InstallerCli.exe",
"C:\\Program Files\\Quick Heal\\Quick Heal AntiVirus Pro\\scanner.exe",
"C:\\Program Files (x86)\\Quick Heal AntiVirus Pro\\SCANNER.EXE",
"C:\\Program Files\\Quick Heal\\Quick Heal Internet Security\\scanner.exe",
"C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnagent.exe",
"/opt/IBM/InformationServer/Server/DSEngine/bin/uvsh",
"/usr/local/demisto/server")
"/usr/local/demisto/server",
"/usr/local/bin/defender")
)
or