How often to DFIR analysts think about name resolution, particularly on Windows systems? I know that looking back across engagements I've done in the past, I've asked for DNS server logs but very often, these were not available. I'm sure others have seen the same thing. When we moved to enterprise response and had access to EDR tools, we could look up DNS queries or create reports based on EDR telemetry, if such a thing was recorded by the agent. In some cases, we could have the DNS queries automatically checked against a blacklist, and queries for known-bad domains highlighted or marked.
According to MS KB article 172218, Windows systems look to their local hosts file prior to making a DNS query (on the network) when looking up a host name. This hosts file is located, by default, in the %SystemRoot%\System32\drivers\etc folder. I say "by default", because this path can be changed via the following Registry value:
Key: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Value: DataBasePath
Okay...so what? Well, it's widely known that threat actors will (we know because we've seen it) make modifications to Windows systems to meet their needs, modifying the environment to suit their goals. We've discussed some of those settings before, and we've seen where threat actors have changed the location of a user's StartUp folder in order to hide their persistence mechanism. If I wanted to keep DNS queries from appearing on the network, it would be relatively easy to either just modify the hosts file, or change the default location and plant a malicious hosts file.
Article Link: https://windowsir.blogspot.com/2020/10/name-resolution.html