Hosts File

Overview

Evidence: Hosts Description: Dump Hosts File Category: Network Platform: windows Short Name: hosts Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): Yes

Background

The Windows hosts file (C:\Windows\System32\drivers\etc\hosts) provides static DNS resolution by mapping hostnames to IP addresses. Entries in the hosts file override DNS resolution.

Attackers commonly modify the hosts file to:

• Block access to security websites

• Redirect browsers to malicious sites

• Prevent software updates

• Establish C2 communication channels

Data Collected

This collector gathers structured data about hosts.

Hosts Data

Collection Method

This collector:

• Reads the hosts file path from registry:

  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - DataBasePath value

• Parses the hosts file line by line

• Extracts IP address and hostname pairs

• Filters out comments (lines starting with #)

Forensic Value

Hosts file modifications are a common malware indicator and can reveal DNS hijacking. Investigators use this data to detect DNS redirection attacks, identify blocked security domains, detect malware C2 infrastructure mappings, track unauthorized hosts file modifications, and identify phishing infrastructure.