Hosts File

Overview

Evidence: Hosts File Description: Dump Hosts File Category: Network Platform: Windows Short Name: hosts Is Parsed: Yes - Hosts file is parsed for IP-hostname mappings Sent to Investigation Hub: Yes Collect File(s): No

Background

The Windows hosts file (C:\Windows\System32\drivers\etc\hosts) provides static DNS resolution by mapping hostnames to IP addresses. Entries in the hosts file override DNS resolution.

Attackers commonly modify the hosts file to:

• Block access to security websites

• Redirect browsers to malicious sites

• Prevent software updates

• Establish C2 communication channels

Data Collected

Collection Method

This collector:

• Reads the hosts file path from registry:

  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - DataBasePath value

• Parses the hosts file line by line

• Extracts IP address and hostname pairs

• Filters out comments (lines starting with #)

Usage

Hosts file modifications are a common malware indicator and can reveal DNS hijacking. Investigators use this data to detect DNS redirection attacks, identify blocked security domains, detect malware C2 infrastructure mappings, track unauthorized hosts file modifications, and identify phishing infrastructure.

Known Limitations

• Only captures current state

• Previous modifications not visible

• Hosts file can be deleted or cleared

• Malware may use alternate DNS methods

Notes

Common malicious patterns include:

• Redirecting antivirus update domains to 127.0.0.1

• Mapping legitimate domains to attacker-controlled IPs

• Blocking security researcher websites

• Large numbers of entries (crypto-mining blocklists abused by malware)