DNS-over-HTTPS Enabled via Registry
Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/22"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Austin Songer"]
11description = """
12Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating
13data. With this enabled, an organization will lose visibility into data such as query type, response, and originating
14IP, which are used to determine bad actors.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "DNS-over-HTTPS Enabled via Registry"
21references = [
22 "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
23 "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode",
24]
25risk_score = 21
26rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04"
27setup = """## Setup
28
29If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
30events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
31Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
32`event.ingested` to @timestamp.
33For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
34"""
35severity = "low"
36tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41registry where host.os.type == "windows" and event.type in ("creation", "change") and
42 (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and
43 registry.data.strings : "1") or
44 (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and
45 registry.data.strings : "secure") or
46 (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and
47 registry.data.strings : "1")
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1562"
55name = "Impair Defenses"
56reference = "https://attack.mitre.org/techniques/T1562/"
57
58[[rule.threat.technique]]
59id = "T1112"
60name = "Modify Registry"
61reference = "https://attack.mitre.org/techniques/T1112/"
62
63
64[rule.threat.tactic]
65id = "TA0005"
66name = "Defense Evasion"
67reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Code Signing Policy Modification Through Registry
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of Root Certificate
- Encoded Executable Stored in the Registry