DNS-over-HTTPS Enabled via Registry

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/07/22"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = """
10Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating
11data. With this enabled, an organization will lose visibility into data such as query type, response, and originating
12IP, which are used to determine bad actors.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "DNS-over-HTTPS Enabled via Registry"
19references = [
20    "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
21    "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode",
22]
23risk_score = 21
24rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04"
25setup = """## Setup
26
27If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
28events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
29Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
30`event.ingested` to @timestamp.
31For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
32"""
33severity = "low"
34tags = [
35    "Domain: Endpoint",
36    "OS: Windows",
37    "Use Case: Threat Detection",
38    "Tactic: Defense Evasion",
39    "Data Source: Elastic Endgame",
40    "Data Source: Elastic Defend",
41    "Data Source: Sysmon",
42]
43timestamp_override = "event.ingested"
44type = "eql"
45
46query = '''
47registry where host.os.type == "windows" and event.type in ("creation", "change") and
48  (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and
49  registry.data.strings : "1") or
50  (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and
51  registry.data.strings : "secure") or
52  (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and
53  registry.data.strings : "1")
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1112"
61name = "Modify Registry"
62reference = "https://attack.mitre.org/techniques/T1112/"
63
64[[rule.threat.technique]]
65id = "T1562"
66name = "Impair Defenses"
67reference = "https://attack.mitre.org/techniques/T1562/"
68
69
70[rule.threat.tactic]
71id = "TA0005"
72name = "Defense Evasion"
73reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top