title: DNS-over-HTTPS Enabled by Registry
author: Austin Songer
date: 2021/07/22
description: Detects when a user enables DNS-over-HTTPS. This can be used to hide
    internet activity or be used to hide the process of exfiltrating data. With this
    enabled organization will lose visibility into data such as query type, response
    and originating IP that are used to determine bad actors.
detection:
    SELECTION_1:
        EventID: 12
    SELECTION_2:
        EventID: 13
    SELECTION_3:
        EventID: 14
    SELECTION_4:
        TargetObject: '*\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
    SELECTION_5:
        Details: DWORD (1)
    SELECTION_6:
        TargetObject: '*\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
    SELECTION_7:
        Details: DWORD (secure)
    SELECTION_8:
        TargetObject: '*\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
    SELECTION_9:
        Details: DWORD (1)
    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (((SELECTION_4 and
        SELECTION_5) or (SELECTION_6 and SELECTION_7)) or (SELECTION_8 and SELECTION_9)))
falsepositives:
- Unlikely
id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
level: medium
logsource:
    category: registry_event
    product: windows
modified: 2021/09/08
references:
- https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
- https://github.com/elastic/detection-rules/issues/1371
- https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
- https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
status: experimental
tags:
- attack.defense_evasion
- attack.t1140
- attack.t1112
yml_filename: sysmon_dns_over_https_enabled.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event