DNS-over-HTTPS Enabled via Registry
Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/22"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Austin Songer"]
11description = """
12Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating
13data. With this enabled, an organization will lose visibility into data such as query type, response, and originating
14IP, which are used to determine bad actors.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "DNS-over-HTTPS Enabled via Registry"
21references = [
22 "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
23 "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode",
24]
25risk_score = 21
26rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04"
27severity = "low"
28tags = [
29 "Domain: Endpoint",
30 "OS: Windows",
31 "Use Case: Threat Detection",
32 "Tactic: Defense Evasion",
33 "Data Source: Elastic Endgame",
34 "Data Source: Elastic Defend",
35 "Data Source: Sysmon",
36 "Data Source: Microsoft Defender for Endpoint",
37 "Data Source: SentinelOne",
38]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43registry where host.os.type == "windows" and event.type == "change" and
44 (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and
45 registry.data.strings : ("1", "0x00000001")) or
46 (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and
47 registry.data.strings : "secure") or
48 (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and
49 registry.data.strings : ("1", "0x00000001"))
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1112"
57name = "Modify Registry"
58reference = "https://attack.mitre.org/techniques/T1112/"
59
60[[rule.threat.technique]]
61id = "T1562"
62name = "Impair Defenses"
63reference = "https://attack.mitre.org/techniques/T1562/"
64
65
66[rule.threat.tactic]
67id = "TA0005"
68name = "Defense Evasion"
69reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
Chrome Enterprise policies for businesses and organizations to manage Chrome Browser and ChromeOS.
Read More
Related rules
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Code Signing Policy Modification Through Registry
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of Root Certificate