DNS-over-HTTPS Enabled by Registry

Severity: medium
Author: Austin Songer
Source: upstream

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1112` Modify Registry
Defense Evasion	`T1112` Modify Registry, `T1140` Deobfuscate/Decode Files or Information

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `1 of selection_edge`

Details: 'DWORD (0x00000001)'
TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'

Stage 2: `1 of selection_chrome`

Details: secure
TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'

Stage 3: `1 of selection_firefox`

Details: 'DWORD (0x00000001)'
TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	eq	`DWORD (0x00000001)` corpus 37 (sigma 37) `secure`
`TargetObject`	ends_with	`\SOFTWARE\Google\Chrome\DnsOverHttpsMode` `\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled` `\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled`