← Back to Explore
jamf_protectinformationalTTP
Host File modification
This detection functions by monitoring for modifications made to the /etc/hosts file path.
Detection Query
$event.isModified == 1 AND $event.path ==[cd] "/private/etc/hosts"Author
Jamf
Data Sources
File System EventsmacOS Endpoint Security
Platforms
macos
Tags
VisibilitySystem Tampering
Raw Content
---
name: HostFileModification
uuid: 7eea8332-eeb4-416f-92d8-cccef960f678
longDescription: This detection functions by monitoring for modifications made to the /etc/hosts file path.
level: 0
inputType: GPFSEvent
tags:
snapshotFiles: []
filter: $event.isModified == 1 AND
$event.path ==[cd] "/private/etc/hosts"
actions:
- name: Log
context: []
categories:
- Visibility
- System Tampering
version: 1
severity: Informational
shortDescription: The /etc/hosts file has been modified.
label: Host File modification
remediation: Review which process was responsible for modifying the host file to determine if it's legitimate or unsafe behavior.
MitreCategories:
- Visibility