Detections
- Home
- - Detections
- -DT138
- ID: DT138
- Created: 31st July 2025
- Updated: 31st July 2025
- Platforms: Windows, Linux,
- Contributor: The ITM Team
Modification of etc/hosts File
Using a File Integrity Monitoring (FIM) solution, or manually inspecting the “hosts” file (C:\Windows\System32\drivers\etc\hosts on Windows, /etc/hosts on Linux) could provide evidence of tampering. The Modified timestamp can give insight into when the most recent change to this file was made.
A subject may attempt to prevent DNS resolution by telling the operating system to resolve a domain name to localhost (127.0.0.1), which could impair a security agent's ability to transmit telemetry.