DNS-over-HTTPS Enabled via Registry | Elastic Security Solution [8.13]

› ›

« Disable Windows Event and Security Logs Using Built-in Tools Suspicious .NET Code Compilation »

DNS-over-HTTPS Enabled via Registryedit

Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.*
logs-windows.*
endgame-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Host
Windows
Threat Detection
Defense Evasion
Elastic Endgame

Version: 102

Rule authors:

Austin Songer

Rule license: Elastic License v2

Investigation guideedit

Rule queryedit

registry where event.type in ("creation", "change") and
  (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and
  registry.data.strings : "1") or
  (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and
  registry.data.strings : "secure") or
  (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and
  registry.data.strings : "1")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/

« Disable Windows Event and Security Logs Using Built-in Tools Suspicious .NET Code Compilation »