This anomaly rule detects attempts by a process to access the Windows hosts file (typically C:\Windows\System32\drivers\etc\hosts) using Security Event Log 4663 (Object Access). It filters for object_file_path matching the hosts file and excludes a set of common legitimate system processes (e.g., explorer.exe, lsass.exe, SearchIndexer.exe, services.exe, svchost.exe, and their SysWOW64 equivalents). The rule then compares the initiating process_path against a browser_path lookup (browser_process_and_path) to determine if the access is performed by a known browser; if the path is not recognized as a valid browser path (is_valid_browser_path = false), the event is flagged. The detection aggregates results by time and key fields, captures firstTime and lastTime via security_content_ctime, and applies an existing hosts file access filter. The intent is to identify potential attempts to modify the hosts file for traffic redirection or phishing (e.g., redirecting to malicious sites or blocking security sites). The rule is categorized under an endpoint focus and references MITRE ATT&CK context (T1012 in its metadata). The associated risk-based alert (RBA) emphasizes a non-browser process attempting to access the hosts file on the destination host, which could indicate malware or an attacker’s attempt to subvert DNS resolution or host-based controls.