T1565.001 Data Manipulation Stored Data T1568 Dynamic Resolution T1036 Masquerading
Malicious activity was detected on host WilsonPRD (IP address 172.16.17.34). The activity involved execution of a Python script named update.py on the endpoint.
The alert SOC116 DNS Hijacking Detected triggered after the script update.py (hash 307b47d1217f267a47cee8dd86c2f191) modified the system hosts file to redirect traffic for github.com to a malicious IP address 49.233.160.217. This effectively hijacks DNS resolution locally, allowing the attacker to intercept or manipulate traffic intended for GitHub. Endpoint analysis confirmed the script was actively running and performing the modification.
Feb 06 2021 12:42 PM
Source Hostname: WilsonPRD Source IP Address: 172.16.17.34 Affected resource: hosts file on endpoint Redirected domain: github.com Malicious IP: 49.233.160.217
The alert was triggered due to unauthorized modification of DNS resolution via the hosts file, a known technique used for DNS hijacking and traffic redirection. Investigation confirmed that HTTP requests intended for github.com were redirected to the malicious IP address, indicating successful exploitation. The activity is classified as a true positive malware incident. The affected endpoint was isolated to prevent further traffic interception or credential compromise.