Windows Hosts File Access

name: Windows Hosts File Access
id: b34bcf35-5380-4b00-b208-5531303fb751
version: 4
creation_date: '2026-03-16'
modification_date: '2026-05-13'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: |
    This Analytic detects the execution of a process attempting to access the hosts file.
    The hosts file is a critical file for network configuration and DNS resolution.
    If an attacker gains access to it, they can redirect traffic to malicious websites, serve fake content or block legitimate security websites.
data_source:
    - Windows Event Log Security 4663
search: |
    `wineventlog_security`
    EventCode=4663
    object_file_path="*:\\Windows\\System32\\drivers\\etc\\hosts"
    NOT process_path IN (
        "*:\\Windows\\explorer.exe",
        "*:\\Windows\\System32\\lsass.exe",
        "*:\\Windows\\System32\\SearchIndexer.exe",
        "*:\\Windows\\System32\\services.exe",
        "*:\\Windows\\System32\\svchost.exe",
        "*:\\Windows\\SysWow64\\SearchIndexer.exe",
        "*:\\Windows\\SysWow64\\svchost.exe"
    )
    | stats count
        by _time object_file_path object_file_name dest process_name
           process_path process_id EventCode
    | eval process_path = lower(process_path)
    | lookup browser_process_and_path browser_process_path as process_path OUTPUT is_valid_browser_path
    | eval is_valid_browser_path=coalesce(is_valid_browser_path,"false")
    | where is_valid_browser_path = "false"
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `windows_hosts_file_access_filter`
how_to_implement: |
    To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." This search may trigger on a browser application that is not included in the browser_app_list lookup file.
known_false_positives: Administrator may access this registry for product key recovery purposes.
references:
    - https://cert.gov.ua/article/6284730
drilldown_searches:
    - name: View the detection results for - "$user$" and "$dest$"
      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: A [$process_name$] attempting to access the hosts file [$object_file_path$] on [$dest$].
threat_objects:
    - field: process_name
      type: process_name
analytic_story:
    - BlankGrabber Stealer
    - Gh0st RAT
asset_type: Endpoint
mitre_attack_id:
    - T1012
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1012/host_file_accessed/hosts_accessed.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog
      test_type: unit