EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

DNS-over-HTTPS Enabled by Registry

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

MITRE ATT&CK

T1140T1112
persistencedefense-evasion

Detection Query

selection_edge:
  TargetObject|endswith: \SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled
  Details: DWORD (0x00000001)
selection_chrome:
  TargetObject|endswith: \SOFTWARE\Google\Chrome\DnsOverHttpsMode
  Details: secure
selection_firefox:
  TargetObject|endswith: \SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled
  Details: DWORD (0x00000001)
condition: 1 of selection_*

Author

Austin Songer

Created

2021-07-22

Data Sources

windowsRegistry Set Events

Platforms

windows

References

Tags

attack.persistenceattack.defense-evasionattack.t1140attack.t1112
Raw Content
title: DNS-over-HTTPS Enabled by Registry
id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
status: test
description: |
    Detects when a user enables DNS-over-HTTPS.
    This can be used to hide internet activity or be used to hide the process of exfiltrating data.
    With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
references:
    - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
    - https://github.com/elastic/detection-rules/issues/1371
    - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
    - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
author: Austin Songer
date: 2021-07-22
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-evasion
    - attack.t1140
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection_edge:
        TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
        Details: DWORD (0x00000001)
    selection_chrome:
        TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
        Details: 'secure'
    selection_firefox:
        TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
        Details: DWORD (0x00000001)
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: medium