From aaa16ce621e44812cdbadc9b5696f71340a249cf Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Fri, 11 Apr 2025 17:54:04 +0200
Subject: [PATCH] feat(rules): Suspicious access to the hosts file

Identifies suspicious process accessing the Windows hosts file for potential tampering. Adversaries can hijack the hosts files to block traffic to download/update servers or redirect the traffic to arbitrary servers under their control.
---
 ...on_suspicious_access_to_the_hosts_file.yml | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 rules/defense_evasion_suspicious_access_to_the_hosts_file.yml

diff --git a/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml b/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml
new file mode 100644
index 000000000..d9c728e2a
--- /dev/null
+++ b/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml
@@ -0,0 +1,37 @@
+name: Suspicious access to the hosts file
+id: f7b2c9d3-99e7-41d5-bb4a-6ea1a5f7f9e2
+version: 1.0.0
+description: >
+  Identifies suspicious process accessing the Windows hosts file for potential tampering.
+  Adversaries can hijack the hosts files to block traffic to download/update servers or redirect the
+  traffic to arbitrary servers under their control.
+labels:
+  tactic.id: TA0005
+  tactic.name: Defense Evasion
+  tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.id: T1562.001
+  technique.name: Impair Defenses - Disable or Modify Tools
+  technique.ref: https://attack.mitre.org/techniques/T1562/001/
+references:
+  - https://www.malwarebytes.com/blog/news/2016/09/hosts-file-hijacks
+
+condition: >
+  sequence
+  maxspan 5m
+    |spawn_process and not ps.child.exe imatches 
+      (
+        '?:\\Windows\\servicing\\TrustedInstaller.exe',
+        '?:\\Windows\\System32\\svchost.exe',
+        '?:\\Windows\\System32\\MicrosoftEdgeUpdate.exe',
+        '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'
+      )
+    | by ps.child.uuid
+    |open_file and file.path imatches '?:\\Windows\\System32\\drivers\\etc\\hosts'| by ps.uuid
+action:
+  - name: kill
+
+output: >
+  Suspicious process %1.ps.child.exe accessed the hosts file for potential tampering
+severity: medium
+
+min-engine-version: 2.2.0