Hosts File Modification custom alert

rascarza · February 8, 2024, 9:41am

Hi everyone!

My team and me are working in a use case to detect the modification of the hosts file.

We have done a custom rule to detect this from the process event creation log. But when the user has a text editor previously open and decides to open the hosts file the alert doesnt trigger because there is no log of proccess start.

We thought about using Sysmon event 11 that logs the modification of files. But sadly the Agent doesnt work with events 11.

Anyone has thought about monitoring the modification of the hosts file?

Thanks.

mmur_gt4e · February 8, 2024, 9:45am

Hi @rascarza

Same here… been trying to find patterns using this sysmon simulator, but no way to reach some event ids…

GitHub - ScarredMonk/SysmonSimulator: Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.

Would be nice if Rapid7 shed some light on this

david_smith · February 8, 2024, 3:08pm

This is currently a request for enhancement to our FIM functionality since our FIM for Windows only monitors files from a set list of extensions, and the hosts file has not extension so it is excluded.

As far as workarounds I’m not aware of anything outside of using some other tool to pull in the relevant event logs such as Nxlog

mmusgrove · February 8, 2024, 6:59pm

We have the following (very basic) rule in place that does not key off of process start. Could this be adapted to your needs?

from(
  event_type = "file_modification"
)
where(
  file_event
    IN [
      "delete",
      "write",
      "modify"
    ]
)

Update: Sorry, I missed the part about this being a Windows system. Good catch David.

david_smith · February 8, 2024, 7:14pm

Since the FIM logset is only written to by the agent for the following file extensions, the modification to the hosts file would never appear

.bat
.cfg
.conf
.config
.dll
.exe
.ini
.sys

https://docs.rapid7.com/insightidr/file-integrity-monitoring/#extensions-monitored

theesmans · February 12, 2024, 2:41pm

We are having the same issue. However a bit more detail here, what we can perfectly do is use a GPO and enable auditing on specific files (in this case host file). This is even written to the event viewer in the security log. So the agent would be able to pick this up. However the agent is simply ignoring this and there is no way to include this eventiID in the agent (very frustrating!).

We are now using auditing on shares and have created a query to monitor the host file through there. It’s not perfect and will only show up if an attacker edits the host file remotely. Disadvantage of this solution is a large intake of logs which are totally unnecessary if we could add the eventID as mentioned above.