Hosts
Overview
Section titled “Overview”Evidence: Hosts
Description: Dump Hosts File
Category: Network
Platform: windows
Short Name: hosts
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”The Windows hosts file (C:\Windows\System32\drivers\etc\hosts) provides static DNS resolution by mapping hostnames to IP addresses. Entries in the hosts file override DNS resolution.
Attackers commonly modify the hosts file to:
- Block access to security websites
- Redirect browsers to malicious sites
- Prevent software updates
- Establish C2 communication channels
Data Collected
Section titled “Data Collected”This collector gathers structured data about hosts.
Hosts Data
Section titled “Hosts Data”| Field | Description | Example |
|---|---|---|
Address | Address | Example value |
HostNames | Host Names | Example value |
Collection Method
Section titled “Collection Method”This collector:
- Reads the hosts file path from registry:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters- DataBasePath value
- Parses the hosts file line by line
- Extracts IP address and hostname pairs
- Filters out comments (lines starting with #)
Forensic Value
Section titled “Forensic Value”Hosts file modifications are a common malware indicator and can reveal DNS hijacking. Investigators use this data to detect DNS redirection attacks, identify blocked security domains, detect malware C2 infrastructure mappings, track unauthorized hosts file modifications, and identify phishing infrastructure.