forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hosts_file_modify.py
55 lines (42 loc) · 1.42 KB
/
hosts_file_modify.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
# Name: Hosts File Modified
# RTA: hosts_file_modify.py
# ATT&CK: T1492
# Description: Modifies the hosts file
import os
import random
import time
from string import ascii_letters
from . import common
def main():
hosts_files = {
common.WINDOWS: "C:\\Windows\\system32\\drivers\\etc\\hosts",
common.LINUX: "/etc/hosts",
common.MACOS: "/private/etc/hosts"
}
hosts_file = hosts_files[common.CURRENT_OS]
backup = os.path.abspath(hosts_file + '_backup')
common.log("Backing up original 'hosts' file.")
common.copy_file(hosts_file, backup)
# add randomness for diffs for FIM module
randomness = ''.join(random.sample(ascii_letters, 10))
entry = [
'',
'# RTA hosts_modify was here',
'# 8.8.8.8 https://www.{random}.google.com'.format(random=randomness)
]
with open(hosts_file, 'a') as f:
f.write('\n'.join(entry))
common.log('Updated hosts file')
with open(hosts_file, 'r') as f:
common.log(f.read())
time.sleep(2)
# cleanup
common.log("Restoring hosts from backup copy.")
common.copy_file(backup, hosts_file)
os.remove(backup)
if __name__ == "__main__":
exit(main())