DNS-over-HTTPS Enabled by Registry
Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
Sigma rule (View on GitHub)
1title: DNS-over-HTTPS Enabled by Registry
2id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
3status: test
4description: |
5 Detects when a user enables DNS-over-HTTPS.
6 This can be used to hide internet activity or be used to hide the process of exfiltrating data.
7 With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
8references:
9 - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
10 - https://github.com/elastic/detection-rules/issues/1371
11 - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
12 - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
13author: Austin Songer
14date: 2021-07-22
15modified: 2023-08-17
16tags:
17 - attack.persistence
18 - attack.stealth
19 - attack.defense-impairment
20 - attack.t1140
21 - attack.t1112
22logsource:
23 product: windows
24 category: registry_set
25detection:
26 selection_edge:
27 TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
28 Details: DWORD (0x00000001)
29 selection_chrome:
30 TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
31 Details: 'secure'
32 selection_firefox:
33 TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
34 Details: DWORD (0x00000001)
35 condition: 1 of selection_*
36falsepositives:
37 - Unlikely
38level: medium
References
Related rules
- CrashControl CrashDump Disabled
- DHCP Callout DLL Installation
- New DNS ServerLevelPluginDll Installed
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- PowerShell Logging Disabled Via Registry Key Tampering