Detecting C2 over DNS over HTTPS

We are conducting purple team, and I really expected Extrahop to flag on C2 and Data exfiltration over DoH. Does anyone have a good alert for this.


@jason.carrier.ctr - welcome to the forums!

I’m on the Product team here at ExtraHop, and can provide a quick update on DoH visibility/detection.

This is an area of active research / investigation for us. Near term, our focus is on better classification of DoH traffic based on identification of known DoH providers, and detection of unexpected DoH usage by a device.

I also want to mention that a best practice among several of our customers has been to disable DoH. I’m curious if you’re considering that.