mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 01:45:21 +00:00
Merge pull request #1960 from austinsonger/sysmon_dns_over_https_enabled.yml
sysmon_dns_over_https_enabled.yml
This commit is contained in:
commit
9671d6c0db
@ -0,0 +1,31 @@
|
||||
title: DNS-over-HTTPS Enabled by Registry
|
||||
id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
|
||||
date: 2021/07/22
|
||||
description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
|
||||
author: Austin Songer
|
||||
status: experimental
|
||||
references:
|
||||
- https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
|
||||
- https://github.com/elastic/detection-rules/issues/1371
|
||||
- https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1140
|
||||
- attack.t1112
|
||||
logsource:
|
||||
product: windows
|
||||
category: registry_event
|
||||
detection:
|
||||
selection1:
|
||||
TargetObject: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
|
||||
Details: 'DWORD (1)'
|
||||
selection2:
|
||||
TargetObject: 'HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
|
||||
Details: 'DWORD (secure)'
|
||||
selection3:
|
||||
TargetObject: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS'
|
||||
Details: 'DWORD (1)'
|
||||
condition: selection1 or selection2 or selection3
|
||||
falsepositives:
|
||||
- Unlikely
|
||||
level: medium
|
Loading…
Reference in New Issue
Block a user