# Hosts File

## Overview

**Evidence:** Hosts\
**Description:** Dump Hosts File\
**Category:** Network\
**Platform:** windows\
**Short Name:** hosts\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** Yes

## Background

The Windows hosts file (`C:\Windows\System32\drivers\etc\hosts`) provides static DNS resolution by mapping hostnames to IP addresses. Entries in the hosts file override DNS resolution.

Attackers commonly modify the hosts file to:

* Block access to security websites
* Redirect browsers to malicious sites
* Prevent software updates
* Establish C2 communication channels

## Data Collected

This collector gathers structured data about hosts.

### Hosts Data

| Field       | Description | Example       |
| ----------- | ----------- | ------------- |
| `Address`   | Address     | Example value |
| `HostNames` | Host Names  | Example value |

## Collection Method

This collector:

* Reads the hosts file path from registry:
  * `HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters` - DataBasePath value
* Parses the hosts file line by line
* Extracts IP address and hostname pairs
* Filters out comments (lines starting with #)

## Forensic Value

Hosts file modifications are a common malware indicator and can reveal DNS hijacking. Investigators use this data to detect DNS redirection attacks, identify blocked security domains, detect malware C2 infrastructure mappings, track unauthorized hosts file modifications, and identify phishing infrastructure.