DNS-over-HTTPS Enabled by Registry

calendar Aug 17, 2023 · attack.defense_evasion attack.t1140 attack.t1112  ·
Share on: linkedin copy

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

Sigma rule (View on GitHub)

 1title: DNS-over-HTTPS Enabled by Registry
 2id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
 3status: test
 4description: |
 5    Detects when a user enables DNS-over-HTTPS.
 6    This can be used to hide internet activity or be used to hide the process of exfiltrating data.
 7    With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.    
 8references:
 9    - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
10    - https://github.com/elastic/detection-rules/issues/1371
11    - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
12    - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
13author: Austin Songer
14date: 2021/07/22
15modified: 2023/08/17
16tags:
17    - attack.defense_evasion
18    - attack.t1140
19    - attack.t1112
20logsource:
21    product: windows
22    category: registry_set
23detection:
24    selection_edge:
25        TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
26        Details: DWORD (0x00000001)
27    selection_chrome:
28        TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
29        Details: 'secure'
30    selection_firefox:
31        TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
32        Details: DWORD (0x00000001)
33    condition: 1 of selection_*
34falsepositives:
35    - Unlikely
36level: medium

References

Related rules

to-top