How often to DFIR analysts think about name resolution, particularly on Windows systems? I know that looking back across engagements I've done in the past, I've asked for DNS server logs but very often, these were not available. I'm sure others have seen the same thing. When we moved to enterprise response and had access to EDR tools, we could look up DNS queries or create reports based on EDR telemetry, if such a thing was recorded by the agent. In some cases, we could have the DNS queries automatically checked against a blacklist, and queries for known-bad domains highlighted or marked.
According to MS KB article 172218, Windows systems look to their local hosts file prior to making a DNS query (on the network) when looking up a host name. This hosts file is located, by default, in the %SystemRoot%\System32\drivers\etc folder. I say "by default", because this path can be changed via the following Registry value:
Okay...so what? Well, it's widely known that threat actors will (we know because we've seen it) make modifications to Windows systems to meet their needs, modifying the environment to suit their goals. We've discussed some of those settings before, and we've seen where threat actors have changed the location of a user's StartUp folder in order to hide their persistence mechanism. If I wanted to keep DNS queries from appearing on the network, it would be relatively easy to either just modify the hosts file, or change the default location and plant a malicious hosts file.
Addendum, 22 Oct - since publishing this post yesterday, others have tried this and found that changing the location of the hosts file does not appear to work. At this point, I have only found the value to exist on a few of the Windows 10 1809 and up systems/images to which I have access, and through searches, I've found indications online that this does not work for Windows 7 systems. At this point, in the absence of explicit documentation, a bit more testing would be valuable.
However, analysts should still keep in the name resolution order in mind, and be aware that modifying the hosts file itself is still something a threat actor can do. Other issues to keep in mind include the use of persistent routes (I've actually seen this done for legitimate business purposes), as well as the use of a port proxy. Both are fairly trivial to check during DFIR pre-processing or threat hunting.
Addendum, 28 Oct - Okay, so there's been no new info on this topic beyond the testing that's been done. On that note, it's actually a bit sad that you can't point Windows systems to a centralized hosts file; Trend Micro recently posted regarding some new malware, which included listings of C2 services. Being able to quickly add this info to a centralized hosts file (redirect host names to localhost) which all systems use would be very beneficial in defanging this malware.
An alternative to this is to maintain a centralized hosts file, but have a GPO or some other process that regularly updates the hosts files, even if only on critical systems.
So, at this point, it appears that the DataBasePath value on Win10 systems is pointless/has no discernible impact. However, that does not mean that we don't look to other Registry locations that contain network-based information. For example, I previously mentioned persistent routes and port proxy info, and I'd add checking the DNS server names/IP addresses for interfaces.