On Windows, the “hosts” file is a text file used by the operating system as a local DNS resolver. It is located at C:\Windows\System32\drivers\etc\hosts.

An entry can be created in this file on a new line in the format “X.X.X.X domain.com”. To sinkhole a domain so that it doesn't resolve, the hosts entry could look like: 127.0.0.1 drive.google.com. If a user account attempted to reach this domain in a browser, Windows would first check the hosts file, and resolve drive.google.com as 127.0.0.1 (localhost), preventing a valid DNS resolution. This prevention can be deployed through Group Policy by overwriting the existing hosts file.

Such modifications can prevent requests from reaching DNS infrastructure or network-based logging points (proxy, NGFW), creating a forensic blind spot for investigators. An EDR solution should still detect a network connection being initiated from a process and provide visibility.

Sections

ID	Name	Description
IF001.008	Exfiltration via File-Sharing Platform	The subject uploads organizational data to a personal or unauthorized file-sharing platform (e.g., Dropbox, Google Drive, WeTransfer, MEGA, or similar) to remove it from controlled environments. This technique is commonly used to bypass endpoint restrictions, avoid detection by traditional DLP systems, and facilitate remote access to stolen data. Uploads may occur through browser sessions, desktop clients, or command-line tools, depending on the sophistication of the subject and the controls in place. Investigators should evaluate whether the data transferred was sensitive, proprietary, or otherwise restricted, and assess whether the subject attempted to conceal or stage the transfer using obfuscation or anti-forensics techniques.

MITRE ATT&CK® Mapping (1)

ATT&CK Enterprise Matrix Version 18.1