DNS-over-HTTPS Enabled via Registry

calendar Sep 5, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Endgame Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/07/22"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Austin Songer"]
11description = """
12Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating
13data. With this enabled, an organization will lose visibility into data such as query type, response, and originating
14IP, which are used to determine bad actors.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "DNS-over-HTTPS Enabled via Registry"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25references = [
26    "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
27    "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode",
28]
29risk_score = 21
30rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04"
31severity = "low"
32tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37registry where host.os.type == "windows" and event.type in ("creation", "change") and
38  (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and
39  registry.data.strings : "1") or
40  (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and
41  registry.data.strings : "secure") or
42  (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and
43  registry.data.strings : "1")
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1562"
51name = "Impair Defenses"
52reference = "https://attack.mitre.org/techniques/T1562/"
53
54
55[rule.threat.tactic]
56id = "TA0005"
57name = "Defense Evasion"
58reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

References

Related rules

to-top