AN0824: Analytic 0824
Detects unauthorized edits to /etc/hosts, /etc/resolv.conf, or suspicious ARP broadcasts. Correlates file modifications with subsequent unexpected network sessions or service creation.
Analyst context for executives and security teams
This analytic matters because changes to Linux name-resolution files or suspicious ARP activity can redirect systems to the wrong destinations, disrupt service connectivity, or create misleading network paths during an incident. For leaders, the decision value is not the file names themselves; it is whether the organization can quickly prove when critical Linux hosts had their local routing or resolution behavior changed and whether that change was followed by unexpected network activity.
Executive priority
Prioritize this where Linux systems support critical services, administrative infrastructure, or regulated workloads. Executives should ask whether SOC and IR teams can show evidence for unauthorized changes to /etc/hosts and /etc/resolv.conf, suspicious ARP broadcasts, and any follow-on unexpected sessions or service creation. This supports resilience, audit readiness, and incident decision-making because these signals can indicate local network redirection or unauthorized configuration change even when higher-level application logs appear normal.
Technical view
For Linux coverage, validate monitoring for file modifications to /etc/hosts and /etc/resolv.conf, suspicious ARP broadcasts, and correlation with later unexpected network sessions or service creation. Because the official detection logic is not provided, teams should define local baselines for legitimate configuration management, DHCP/DNS resolver updates, host provisioning, and administrative maintenance. The strongest value comes from correlating file-change events with network and service activity rather than alerting on every edit in isolation.
Likely telemetry
- Linux file integrity or audit telemetry for /etc/hosts and /etc/resolv.conf
- Process and user context for file modification events
- Network telemetry showing ARP broadcasts
- Network session logs from affected Linux hosts
- Service creation or service management logs on Linux systems
Detection direction
- Confirm that file modification monitoring includes both /etc/hosts and /etc/resolv.conf on relevant Linux hosts.
- Correlate edits with subsequent unexpected network sessions or service creation, as described by the analytic, to reduce noise from routine administration.
- Tune expected activity from configuration management tools, resolver updates, host provisioning, and approved maintenance windows.
- Investigate events more aggressively when the modifying user, process, host role, or timing is inconsistent with normal operations.
- Check for blind spots on unmanaged Linux systems, ephemeral workloads, or hosts without audit, file integrity, ARP, or network session telemetry.
Mitigation priorities
- Establish ownership and change-control expectations for Linux name-resolution files on critical hosts.
- Restrict and monitor privileged access capable of modifying system network configuration files.
- Use configuration management or file integrity monitoring to detect and validate approved state for /etc/hosts and /etc/resolv.conf.
- Ensure SOC playbooks include correlation of local file changes, ARP activity, network sessions, and service creation.
- Review telemetry retention and collection coverage so incident responders can reconstruct changes after the fact.
Analyst notes and limits
The supplied object is a detection analytic for Linux. Its description focuses on unauthorized edits to /etc/hosts and /etc/resolv.conf, suspicious ARP broadcasts, and correlation with unexpected network sessions or service creation. No tactic, technique relationship, adversary relationship, or official detection query was supplied, so this take emphasizes validation and operational readiness rather than specific ATT&CK technique mapping.
Official detection content and relationship context were not provided. This summary does not assert active exploitation, attribution, impact, or guaranteed coverage. Local baselines, asset criticality, logging configuration, and approved administrative workflows are required to determine alert severity and response priority.
Analytic 0824
Detects unauthorized edits to /etc/hosts, /etc/resolv.conf, or suspicious ARP broadcasts. Correlates file modifications with subsequent unexpected network sessions or service creation.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fbde0e822504… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0824Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.