DNS-over-HTTPS Enabled via Registry

  1[metadata]
  2creation_date = "2021/07/22"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Austin Songer"]
 11description = """
 12Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating
 13data. With this enabled, an organization will lose visibility into data such as query type, response, and originating
 14IP, which are used to determine bad actors.
 15"""
 16from = "now-9m"
 17index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "DNS-over-HTTPS Enabled via Registry"
 21references = [
 22    "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
 23    "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode",
 24]
 25risk_score = 21
 26rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04"
 27severity = "low"
 28tags = [
 29    "Domain: Endpoint",
 30    "OS: Windows",
 31    "Use Case: Threat Detection",
 32    "Tactic: Defense Evasion",
 33    "Data Source: Elastic Endgame",
 34    "Data Source: Elastic Defend",
 35    "Data Source: Sysmon",
 36    "Data Source: Microsoft Defender for Endpoint",
 37    "Data Source: SentinelOne",
 38    "Resources: Investigation Guide",
 39]
 40timestamp_override = "event.ingested"
 41type = "eql"
 42
 43query = '''
 44registry where host.os.type == "windows" and event.type == "change" and
 45  (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and
 46  registry.data.strings : ("1", "0x00000001")) or
 47  (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and
 48  registry.data.strings : "secure") or
 49  (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and
 50  registry.data.strings : ("1", "0x00000001"))
 51'''
 52note = """## Triage and analysis
 53
 54> **Disclaimer**:
 55> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 56
 57### Investigating DNS-over-HTTPS Enabled via Registry
 58
 59DNS-over-HTTPS (DoH) encrypts DNS queries to enhance privacy and security, preventing eavesdropping and manipulation. However, adversaries can exploit DoH to conceal malicious activities, such as data exfiltration, by bypassing traditional DNS monitoring. The detection rule identifies registry changes enabling DoH in browsers like Edge, Chrome, and Firefox, signaling potential misuse for defense evasion.
 60
 61### Possible investigation steps
 62
 63- Review the registry path and data values from the alert to determine which browser and setting were modified. Check if the change aligns with known user activity or policy.
 64- Investigate the user account associated with the registry change to assess if the activity is expected or if the account has a history of suspicious behavior.
 65- Examine recent network traffic from the host to identify any unusual or unauthorized DNS queries that could indicate data exfiltration or other malicious activities.
 66- Check for any other recent registry changes or system modifications on the host that might suggest further attempts at defense evasion or persistence.
 67- Correlate the alert with other security events or logs from the same host or user to identify patterns or additional indicators of compromise.
 68
 69### False positive analysis
 70
 71- Legitimate software updates or installations may enable DNS-over-HTTPS settings in browsers. Monitor software update schedules and correlate registry changes with known update events to identify benign changes.
 72- Organizational policies might require DNS-over-HTTPS for privacy compliance. Document these policies and create exceptions in the detection rule for systems where this is a known requirement.
 73- User-initiated privacy settings changes can trigger the rule. Educate users on the implications of enabling DNS-over-HTTPS and establish a process for them to report intentional changes, allowing for exclusion of these events.
 74- Security tools or privacy-focused applications may enable DNS-over-HTTPS as part of their functionality. Identify these tools within the organization and adjust the detection rule to exclude registry changes associated with their operation.
 75
 76### Response and remediation
 77
 78- Immediately isolate the affected system from the network to prevent potential data exfiltration or further malicious activity.
 79- Review and revert any unauthorized registry changes related to DNS-over-HTTPS settings in Edge, Chrome, and Firefox to restore standard DNS monitoring capabilities.
 80- Conduct a thorough scan of the affected system using updated antivirus and endpoint detection tools to identify and remove any malicious software or scripts.
 81- Analyze network traffic logs to identify any unusual or unauthorized DNS queries or data transfers that may have occurred during the period of DoH activation.
 82- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 83- Implement enhanced monitoring for registry changes related to DNS settings across the organization to detect similar threats in the future.
 84- Review and update security policies to ensure that DNS-over-HTTPS is only enabled through approved channels and for legitimate purposes, reducing the risk of misuse."""
 85
 86
 87[[rule.threat]]
 88framework = "MITRE ATT&CK"
 89[[rule.threat.technique]]
 90id = "T1112"
 91name = "Modify Registry"
 92reference = "https://attack.mitre.org/techniques/T1112/"
 93
 94[[rule.threat.technique]]
 95id = "T1562"
 96name = "Impair Defenses"
 97reference = "https://attack.mitre.org/techniques/T1562/"
 98
 99
100[rule.threat.tactic]
101id = "TA0005"
102name = "Defense Evasion"
103reference = "https://attack.mitre.org/tactics/TA0005/"