rules/windows/registry_event/sysmon_dns_over_https_enabled.yml

title: DNS-over-HTTPS Enabled by Registry
id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
date: 2021/07/22
modified: 2021/09/08
description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
author: Austin Songer
status: experimental
references:
    - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
    - https://github.com/elastic/detection-rules/issues/1371
    - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
    - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
tags:
    - attack.defense_evasion
    - attack.t1140
    - attack.t1112
logsource:
  product: windows
  category: registry_event
detection:
    selection_edge:
        TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
        Details: 'DWORD (1)'
    selection_chrome:
        TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
        Details: 'DWORD (secure)'
    selection_firefox:
        TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
        Details: 'DWORD (1)'
    condition: selection_edge or selection_chrome or selection_firefox
falsepositives:
- Unlikely
level: medium
Create sysmon_dns_over_https_enabled.yml 2021-08-31 09:14:14 -05:00			`title: DNS-over-HTTPS Enabled by Registry`
			`id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5`
			`date: 2021/07/22`
Update sysmon_dns_over_https_enabled.yml 2021-09-08 22:22:53 +07:00			`modified: 2021/09/08`
Create sysmon_dns_over_https_enabled.yml 2021-08-31 09:14:14 -05:00			`description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.`
			`author: Austin Songer`
			`status: experimental`
			`references:`
			`- https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html`
			`- https://github.com/elastic/detection-rules/issues/1371`
			`- https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode`
Update sysmon_dns_over_https_enabled.yml 2021-09-08 22:22:53 +07:00			`- https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS`
Create sysmon_dns_over_https_enabled.yml 2021-08-31 09:14:14 -05:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1140`
			`- attack.t1112`
			`logsource:`
			`product: windows`
			`category: registry_event`
			`detection:`
Update sysmon_dns_over_https_enabled.yml 2021-09-09 08:04:54 +07:00			`selection_edge:`
			`TargetObject\|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'`
Create sysmon_dns_over_https_enabled.yml 2021-08-31 09:14:14 -05:00			`Details: 'DWORD (1)'`
Update sysmon_dns_over_https_enabled.yml 2021-09-09 08:04:54 +07:00			`selection_chrome:`
			`TargetObject\|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'`
Create sysmon_dns_over_https_enabled.yml 2021-08-31 09:14:14 -05:00			`Details: 'DWORD (secure)'`
Update sysmon_dns_over_https_enabled.yml 2021-09-09 08:04:54 +07:00			`selection_firefox:`
			`TargetObject\|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'`
Create sysmon_dns_over_https_enabled.yml 2021-08-31 09:14:14 -05:00			`Details: 'DWORD (1)'`
Update sysmon_dns_over_https_enabled.yml 2021-09-09 08:04:54 +07:00			`condition: selection_edge or selection_chrome or selection_firefox`
Create sysmon_dns_over_https_enabled.yml 2021-08-31 09:14:14 -05:00			`falsepositives:`
			`- Unlikely`
			`level: medium`