Protecting_Against_Weak_Crypto_Algo

Name: Protecting_Against_Weak_Crypto_Algo
Determine if Windows is configured to log certificates with weak crypto (https://technet.microsoft.com/library/dn375961(v=ws.11).aspx): Artifact used by this malware

Query:
select * from registry where path like 'HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyOIDEncodingType 0CertDllCreateCertificateChainEngineConfigDefault%' AND name IN ('WeakSha1ThirdPartyFlags','WeakMd5ThirdPartyFlags') AND type = 'REG_DWORD' AND data not like '-2%';
Additional Query Info:
Version: 2.2.1
Platform: windows
Interval: 3600

JSON:
{
  "queries": {
    "Protecting_Against_Weak_Crypto_Algo": {
      "query" : "select * from registry where path like 'HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyOIDEncodingType 0CertDllCreateCertificateChainEngineConfigDefault%' AND name IN ('WeakSha1ThirdPartyFlags','WeakMd5ThirdPartyFlags') AND type = 'REG_DWORD' AND data not like '-2%';",
      "interval" : "3600",
      "platform" : "windows",
      "version": "2.2.1",
      "description" : "Determine if Windows is configured to log certificates with weak crypto (https://technet.microsoft.com/library/dn375961(v=ws.11).aspx)",
      "value" : "Artifact used by this malware"
    }
  }
}

You must be logged in to post a comment.

Proudly powered by WordPress   Premium Style Theme by www.gopiplus.com