Determine if Windows is configured to log certificates with weak crypto (https://technet.microsoft.com/library/dn375961(v=ws.11).aspx): Artifact used by this malware
Query:
select * from registry where path like 'HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyOIDEncodingType 0CertDllCreateCertificateChainEngineConfigDefault%' AND name IN ('WeakSha1ThirdPartyFlags','WeakMd5ThirdPartyFlags') AND type = 'REG_DWORD' AND data not like '-2%';Additional Query Info:
Version: 2.2.1
Platform: windows
Interval: 3600
JSON:
{ "queries": { "Protecting_Against_Weak_Crypto_Algo": { "query" : "select * from registry where path like 'HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyOIDEncodingType 0CertDllCreateCertificateChainEngineConfigDefault%' AND name IN ('WeakSha1ThirdPartyFlags','WeakMd5ThirdPartyFlags') AND type = 'REG_DWORD' AND data not like '-2%';", "interval" : "3600", "platform" : "windows", "version": "2.2.1", "description" : "Determine if Windows is configured to log certificates with weak crypto (https://technet.microsoft.com/library/dn375961(v=ws.11).aspx)", "value" : "Artifact used by this malware" } } }