Certificate Audit - Windows
Log In or Register to download the BES file, and more.

0 Votes

Description

<enter a description of the analysis here>

Property Details

ID2994825
StatusAlpha - Code that was just developed
TitleCertificate Audit - Windows
DomainBESC
Added by on 11/25/2015 9:15:01 PM
Last Modified by on 11/25/2015 9:15:01 PM
Counters 6126 Views / 92 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Properties

Root CAs in Windows
Period 12 hours
 
  * Results in a "string"/number
Show indented relevance
( concatenations " ; " of (preceding text of first "%82%01" of it | it) whose(it != "" AND it does not contain "%00%00%00%01%00%00%00") of (preceding text of first "%82%0f" of it | it) of (preceding text of first "0%82" of it | it) of (preceding text of first "0%81" of it | it) of (preceding text of first "0%1e%17" of it | it) of (preceding text of last "1" of it | it) of (following text of (start of first (first matches (regex "[\u1300-\u13ff]") of it) of it) | it) whose(exists (first matches (regex "[\u1300-\u13ff]") of it)) of (preceding text of first "%06%03" of it | it) of substrings separated by "U%04" of it) of it whose(it contains "U%04") of (hexadecimal string it) of ( unique values of (it as string) of values "blob" of keys of keys "Certificates" of keys whose(name of it as uppercase contains "CA" OR name of it as uppercase contains "ROOT") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates" of (x64 registries; x32 registries) )
eDellRoot?
Period 6 hours
 
  * Results in a true/false
Show indented relevance
exists (hexadecimal string it) whose(it contains "eDellRoot") of ( unique values of (it as string) of values "blob" of keys of keys "Certificates" of keys whose(name of it as uppercase contains "CA" OR name of it as uppercase contains "ROOT") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates" of (x64 registries; x32 registries) )
DSDTestProvider?
Period 6 hours
 
  * Results in a true/false
Show indented relevance
exists (hexadecimal string it) whose(it contains "DSDTestProvider") of ( unique values of (it as string) of values "blob" of keys of keys "Certificates" of keys whose(name of it as uppercase contains "CA" OR name of it as uppercase contains "ROOT") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates" of (x64 registries; x32 registries) )

Relevance

isWindows (Relevance 1172)
Used in 1152 fixlets and 540 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 1 analsis   * Results in a true/false
Show indented relevance
exists keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates" of (x64 registries; x32 registries)

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!