2021-08-31 09:14:14 -05:00
title : DNS-over-HTTPS Enabled by Registry
id : 04b45a8a-d11d-49e4-9acc-4a1b524407a5
2022-01-13 16:28:29 +01:00
status : experimental
2021-08-31 09:14:14 -05:00
description : Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
author : Austin Songer
references :
- https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
- https://github.com/elastic/detection-rules/issues/1371
- https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
2021-09-08 22:22:53 +07:00
- https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
2022-01-13 16:28:29 +01:00
date : 2021 /07/22
modified : 2022 /01/13
2021-08-31 09:14:14 -05:00
logsource :
product : windows
category : registry_event
detection :
2021-09-09 08:04:54 +07:00
selection_edge :
2022-01-13 16:28:29 +01:00
EventType : SetValue
2021-09-09 08:04:54 +07:00
TargetObject|endswith : '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
2021-08-31 09:14:14 -05:00
Details : 'DWORD (1)'
2021-09-09 08:04:54 +07:00
selection_chrome :
2022-01-13 16:28:29 +01:00
EventType : SetValue
2021-09-09 08:04:54 +07:00
TargetObject|endswith : '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
2021-08-31 09:14:14 -05:00
Details : 'DWORD (secure)'
2021-09-09 08:04:54 +07:00
selection_firefox :
2022-01-13 16:28:29 +01:00
EventType : SetValue
2021-09-09 08:04:54 +07:00
TargetObject|endswith : '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
2021-08-31 09:14:14 -05:00
Details : 'DWORD (1)'
2022-01-13 16:28:29 +01:00
condition : 1 of selection_*
2021-08-31 09:14:14 -05:00
falsepositives :
- Unlikely
level : medium
2022-01-13 16:28:29 +01:00
tags :
- attack.defense_evasion
- attack.t1140
- attack.t1112
