(no title)

Author here. Yes simply editing my hosts file would have been much easier. The reason I went the longer approach of setting up the payload on a remote web server was because there is the concept of security zones in Internet Explorer. Visiting localhost in Internet Explorer gets treated with a different level of trust compared to randomwebsite.com. For example, if you go to your security settings in Internet Explorer, there is an "Internet" zone but also a "Local intranet" zone. If you compare the two, you'll see they have different security settings. By hosting the payload on an external domain, we ensure that we are simulating an identical environment that existed for the attack (and are not subject to a different level of trust).

That is if you're using a single host network. If your simulations go beyond a single VM it can be useful.

In general when performing malware analysis you want a logging DNS cache to keep track of any lookup the software makes.

>Your system will resolve whatever hostnames you want to whatever IP addresses you want. You just add the entries to a text file.

>It will always override whatever results come from DNS.

there are limitations, good luck overriding ctldl.windowsupdate.com https://forums.mydigitallife.net/threads/windows-10-hosts-fi...

was it https? makes it a bit trickier if it is as you would have to self sign the cert. guy is use ida pro. i assume they know how dns works