The little known (I think) secret of hosts.ics

March 31, 2018 in Anti-Forensics, Compromise Detection

Today I discovered that while everyone knows one can use the c:\WINDOWS\system32\drivers\etc\hosts file to introduce static entries to the DNS resolver there is one more file that can be utilized for this purpose.

It is a hosts.ics (c:\WINDOWS\system32\drivers\etc\hosts.ics) file that was originally designed to support the Internet Connection Sharing service. It looks like it is being ingested by the DNS resolver same way as the hosts file.

So… yet another place to look at.

After introducing the file on my system to a test Win 10 box I got the following results:

Comments are closed.