ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT138
  • Created: 31st July 2025
  • Updated: 31st July 2025
  • Platforms: Windows, Linux,
  • Contributor: The ITM Team

Modification of etc/hosts File

Using a File Integrity Monitoring (FIM) solution, or manually inspecting the “hosts” file (C:\Windows\System32\drivers\etc\hosts on Windows, /etc/hosts on Linux) could provide evidence of tampering. The Modified timestamp can give insight into when the most recent change to this file was made.

 

A subject may attempt to prevent DNS resolution by telling the operating system to resolve a domain name to localhost (127.0.0.1), which could impair a security agent's ability to transmit telemetry.