highexperimentalLinuxOCIT1565.001

Linux Agent Modifying Hosts File

Detects AI agent processes writing to /etc/hosts, which could redirect DNS resolution to attacker-controlled infrastructure or disable security tool connectivity.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aitool-misusehosts-filedns-hijacklinuxociowasp-asi02

Problem Statement

Modification of /etc/hosts allows an attacker to redirect any hostname to a malicious IP, enabling man-in-the-middle attacks against OCI API endpoints, security update servers, or internal services. This is a high-impact action that has no legitimate use case for an AI agent.

Sample Logs

{"timestamp":"2025-01-10T08:30:15Z","computer_name":"oci-worker-08","user":"root","image":"/usr/bin/python3","target_filename":"/etc/hosts","event_type":"file_modify"}

Required Fields

image

target_filename

user

computer_name

False Positives

·Configuration management tools (Ansible, Chef) that run via Python and update /etc/hosts as part of infrastructure provisioning

Tuning Guidance

This is a very low-volume event; all modifications should be investigated. Suppress only changes made by known configuration management service accounts during scheduled provisioning windows.