[metadata]
creation_date = "2021/07/22"
maturity = "production"
updated_date = "2021/10/15"

[rule]
author = ["Austin Songer"]
description = """Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or
the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type,
response, and originating IP, which are used to determine bad actors."""

from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "DNS-over-HTTPS Enabled via Registry"
references = [
    "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
    "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode",
]
risk_score = 21
rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where event.type in ("creation", "change") and
  (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and
  registry.data.strings : "1") or
  (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and
  registry.data.strings : "secure") or
  (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and
  registry.data.strings : "1")
'''

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"