Old TLS1.0/TLS1.1 Protocol Version Enabled
Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
Sigma rule (View on GitHub)
1title: Old TLS1.0/TLS1.1 Protocol Version Enabled
2id: 439957a7-ad86-4a8f-9705-a28131c6821b
3status: experimental
4description: Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
5references:
6 - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/09/05
9tags:
10 - attack.defense_evasion
11logsource:
12 category: registry_set
13 product: windows
14detection:
15 selection:
16 TargetObject|contains:
17 - '\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\'
18 - '\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\'
19 TargetObject|endswith: '\Enabled'
20 Details: 'DWORD (0x00000001)'
21 condition: selection
22falsepositives:
23 - Legitimate enabling of the old tls versions due to incompatibility
24level: medium
References
-
While there will be an option to re-enable these protocols, we encourage the move to newer TLS versions.
Read More
Related rules
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
- IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
- Rundll32 Spawned Via Explorer.EXE
- VMMap Signed Dbghelp.DLL Potential Sideloading