Unexpected Etc Hosts

osquery

Unexpected /etc/hosts entries

Author

Chainguard

Published

January 29, 2025

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Unexpected /etc/hosts entries
--
-- false positives:
--   * developers adding entries for their own use
--
-- references:
--   * https://attack.mitre.org/techniques/T1565/001/ (Data Manipulation: Stored Data Manipulation)
--
-- tags: persistent seldom filesystem net
SELECT
  *
FROM
  etc_hosts
WHERE
  hostnames NOT IN (
    'ip6-allnodes',
    'ip6-allrouters',
    'kubernetes',
    'localhost ip6-localhost ip6-loopback',
    'localhost localhost.localdomain localhost4 localhost4.localdomain4',
    'localhost'
  )
  AND address NOT IN (
    '::1',
    'ff02::1',
    'ff02::2',
    '255.255.255.255',
    'fe00::0',
    'ff00::0'
  )
  AND address NOT LIKE '127.%'
  AND address NOT LIKE '172.%'
  AND address NOT LIKE '192.168.%'
  AND address NOT LIKE '10.%'
  AND hostnames NOT LIKE '%.%-%.%.dev'
  AND hostnames NOT LIKE '%.internal'
  AND hostnames NOT LIKE '%.local'
  AND hostnames NOT LIKE '%.svc'
  AND hostnames NOT LIKE '%.test'
  AND hostnames NOT LIKE '%.wtf'
  AND hostnames NOT LIKE '%k8s%'
  AND hostnames NOT LIKE '%local%'
  AND hostnames NOT LIKE 'ip6-%'
  AND hostnames NOT LIKE 'localhost.%'
  AND hostnames NOT LIKE "%.cloud"
  AND hostnames NOT LIKE "%.example.com"

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit