Detectionmediumtest
DNS-over-HTTPS Enabled by Registry
Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic3 selectors
detection:
selection_edge:
TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
Details: DWORD (0x00000001)
selection_chrome:
TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
Details: 'secure'
selection_firefox:
TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
Details: DWORD (0x00000001)
condition: 1 of selection_*False Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
MITRE ATT&CK
Rule Metadata
Rule ID
04b45a8a-d11d-49e4-9acc-4a1b524407a5
Status
test
Level
medium
Type
Detection
Created
Thu Jul 22
Modified
Thu Aug 17
Author
Path
rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.t1140attack.t1112