We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
SettingsModifier:Win32/HostsFileHijack
Aliases: No associated aliases
Summary
This detection flags suspicious modifications to the Windows hosts file, specifically entries for certain domains used by the operating system and critical services. Windows uses the hosts files to resolve domains to IP addresses during network communication, so malicious modifications can prevent legitimate network connections, such as updates and certificate checks, or result in insecure and potentially harmful connections.
Hosts file tampering is a common malware or attacker technique used to prevent or redirect network connections. An attacker might modify the file to block legitimate connections or to divert network traffic to a destination controlled by the attacker, resulting in the download of additional malware or other malicious activity.
If this change was made without your or your organization’s knowledge, then the entry was likely set by a malware or an attacker.
Microsoft Defender Antivirus automatically removes threats as they are detected and blocks any attempt to modify the hosts file to insert entries for specific, protected domains. When it remediates this threat, it will reset the hosts file to default, removing any existing entries. Updating your antimalware definitions and running a full scan might help address remnant threat artifacts.
If this change was intended by you or your organization, then please know that the hosts file is not a supported method of managing network connections to Windows devices. Read about supported methods to manage your network connections.
