← Back to SOC feed Coverage →

DNS-over-HTTPS Enabled by Registry

sigma MEDIUM SigmaHQ
T1140T1112
imRegistry
backdoor
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-26T23:00:01Z · Confidence: medium

Hunt Hypothesis

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into dat

Detection Rule

Sigma (Original)

title: DNS-over-HTTPS Enabled by Registry
id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
status: test
description: |
    Detects when a user enables DNS-over-HTTPS.
    This can be used to hide internet activity or be used to hide the process of exfiltrating data.
    With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
references:
    - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
    - https://github.com/elastic/detection-rules/issues/1371
    - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
    - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
author: Austin Songer
date: 2021-07-22
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.stealth
    - attack.defense-impairment
    - attack.t1140
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection_edge:
        TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
        Details: DWORD (0x00000001)
    selection_chrome:
        TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
        Details: 'secure'
    selection_firefox:
        TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
        Details: DWORD (0x00000001)
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: medium

KQL (Azure Sentinel)

imRegistry
| where (RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and RegistryValueData =~ "DWORD (0x00000001)") or (RegistryKey endswith "\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and RegistryValueData =~ "secure") or (RegistryKey endswith "\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS\\Enabled" and RegistryValueData =~ "DWORD (0x00000001)")

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where (RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and RegistryValueData =~ "DWORD (0x00000001)") or (RegistryKey endswith "\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and RegistryValueData =~ "secure") or (RegistryKey endswith "\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS\\Enabled" and RegistryValueData =~ "DWORD (0x00000001)")

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml