Techniques
Sample rules
Windows hosts file modification
- source: splunk
- technicques:
Description
The search looks for modifications to the hosts file on all Windows endpoints across your environment.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.file_path Filesystem.dest
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| search Filesystem.file_name=hosts AND Filesystem.file_path=*Windows\\System32\\*
| `drop_dm_object_name(Filesystem)`
| `windows_hosts_file_modification_filter`