DNS-over-HTTPS Enabled by Registry

calendar Oct 23, 2025 · attack.persistence attack.defense-evasion attack.t1140 attack.t1112  ·
Share on: linkedin copy

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

Sigma rule (View on GitHub)

 1title: DNS-over-HTTPS Enabled by Registry
 2id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
 3status: test
 4description: |
 5    Detects when a user enables DNS-over-HTTPS.
 6    This can be used to hide internet activity or be used to hide the process of exfiltrating data.
 7    With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.    
 8references:
 9    - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
10    - https://github.com/elastic/detection-rules/issues/1371
11    - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
12    - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
13author: Austin Songer
14date: 2021-07-22
15modified: 2023-08-17
16tags:
17    - attack.persistence
18    - attack.defense-evasion
19    - attack.t1140
20    - attack.t1112
21logsource:
22    product: windows
23    category: registry_set
24detection:
25    selection_edge:
26        TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
27        Details: DWORD (0x00000001)
28    selection_chrome:
29        TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
30        Details: 'secure'
31    selection_firefox:
32        TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
33        Details: DWORD (0x00000001)
34    condition: 1 of selection_*
35falsepositives:
36    - Unlikely
37level: medium

References

Related rules

to-top