Added Sigma Rules

rules/Sigma/sysmon_dns_over_https_enabled.yml

@@ -0,0 +1,49 @@
+title: DNS-over-HTTPS Enabled by Registry
+author: Austin Songer
+date: 2021/07/22
+description: Detects when a user enables DNS-over-HTTPS. This can be used to hide
+    internet activity or be used to hide the process of exfiltrating data. With this
+    enabled organization will lose visibility into data such as query type, response
+    and originating IP that are used to determine bad actors.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
+    SELECTION_5:
+        Details: DWORD (1)
+    SELECTION_6:
+        TargetObject: '*\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
+    SELECTION_7:
+        Details: DWORD (secure)
+    SELECTION_8:
+        TargetObject: '*\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
+    SELECTION_9:
+        Details: DWORD (1)
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (((SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7)) or (SELECTION_8 and SELECTION_9)))
+falsepositives:
+- Unlikely
+id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/08
+references:
+- https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
+- https://github.com/elastic/detection-rules/issues/1371
+- https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
+- https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1140
+- attack.t1112
+yml_filename: sysmon_dns_over_https_enabled.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+