sigma-rules/rules/windows/defense_evasion_dns_over_https_enabled.toml

[metadata]
creation_date = "2021/07/22"
maturity = "production"
updated_date = "2021/10/15"

[rule]
author = ["Austin Songer"]
description = """Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide
the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response
and originating IP that are used to determine bad actors."""

from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "DNS-over-HTTPS Enabled via Registry"
references = [
    "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
    "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode",
]
risk_score = 21
rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where event.type in ("creation", "change") and
  (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and
  registry.data.strings : "1") or
  (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and
  registry.data.strings : "secure") or
  (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and
  registry.data.strings : "1")
'''

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"