DNS-over-HTTPS Enabled via Registry Modification
Detection of DNS-over-HTTPS (DoH) being enabled via registry modifications on Windows systems, potentially indicating defense evasion by masking network activity and hindering traditional DNS monitoring.
Attackers may enable DNS-over-HTTPS (DoH) to encrypt DNS queries, bypassing traditional DNS monitoring and hindering an organization's visibility into network traffic. This can be used to hide internet activity, facilitate data exfiltration, or mask command-and-control communications. This activity can be identified by monitoring registry modifications associated with enabling DoH in popular web browsers such as Microsoft Edge, Google Chrome, and Mozilla Firefox. The detection focuses on changes to specific registry keys related to the configuration of DoH functionality. While DoH can improve privacy, its malicious use poses a defense evasion risk. The rule specifically detects registry changes associated with enabling DoH in Edge, Chrome, and Firefox, indicating potential misuse for defense evasion.
Attack Chain
- Attacker gains initial access to the target system (e.g., via phishing or exploiting a vulnerability).
- Attacker executes code (e.g., PowerShell script or executable) on the target system.
- The code modifies the Windows Registry to enable DNS-over-HTTPS (DoH) in a web browser.
- Specific registry keys are targeted, such as
HKLM\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled,HKLM\SOFTWARE\Google\Chrome\DnsOverHttpsMode, orHKLM\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS. - The registry values are set to enable DoH (e.g., setting
BuiltInDnsClientEnabledto 1 in Edge). - The web browser starts using DoH, encrypting DNS queries and sending them over HTTPS.
- This hides the DNS queries from traditional network monitoring tools.
- The attacker uses the DoH-enabled browser to conduct malicious activities, such as data exfiltration or command-and-control communication, without being easily detected.
Impact
Successful exploitation allows attackers to bypass traditional DNS monitoring, masking malicious network activity. This can lead to undetected data exfiltration, command and control, or other malicious behavior. The impact is reduced visibility for security teams and increased dwell time for attackers. The severity is low as DoH can be a legitimate configuration, so further investigation is needed.
Recommendation
- Deploy the Sigma rules provided to detect registry modifications associated with enabling DNS-over-HTTPS (DoH) and tune for your environment.
- Investigate any detected instances of DoH being enabled via registry modifications, correlating with other security events to assess legitimacy.
- Monitor the relevant registry paths (
*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled,*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode,*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS) for unexpected changes. - Review and update security policies to ensure that DNS-over-HTTPS is only enabled through approved channels and for legitimate purposes.
Detection coverage 3
DNS-over-HTTPS Enabled in Microsoft Edge via Registry
lowDetects when DNS-over-HTTPS is enabled in Microsoft Edge via registry modification.
DNS-over-HTTPS Enabled in Google Chrome via Registry
lowDetects when DNS-over-HTTPS is enabled in Google Chrome via registry modification.
DNS-over-HTTPS Enabled in Mozilla Firefox via Registry
lowDetects when DNS-over-HTTPS is enabled in Mozilla Firefox via registry modification.
Detection queries are available on the platform. Get full rules →