ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PV063
  • Created: 30th July 2025
  • Updated: 31st July 2025
  • Platform: Windows
  • Contributor: The ITM Team

Local DNS Sinkhole, Windows

On Windows, the “hosts” file is a text file used by the operating system as a local DNS resolver. It is located at C:\Windows\System32\drivers\etc\hosts.

 

An entry can be created in this file on a new line in the format “X.X.X.X domain.com”. To sinkhole a domain so that it doesn't resolve, the hosts entry could look like: 127.0.0.1 drive.google.com. If a user account attempted to reach this domain in a browser, Windows would first check the hosts file, and resolve drive.google.com as 127.0.0.1 (localhost), preventing a valid DNS resolution. This prevention can be deployed through Group Policy by overwriting the existing hosts file.

 

Such modifications can prevent requests from reaching DNS infrastructure or network-based logging points (proxy, NGFW), creating a forensic blind spot for investigators. An EDR solution should still detect a network connection being initiated from a process and provide visibility.