Old TLS1.0/TLS1.1 Protocol Version Enabled

Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.

Sigma rule (View on GitHub)

 1title: Old TLS1.0/TLS1.1 Protocol Version Enabled
 2id: 439957a7-ad86-4a8f-9705-a28131c6821b
 3status: test
 4description: Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
 5references:
 6    - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-09-05
 9tags:
10    - attack.defense-evasion
11logsource:
12    category: registry_set
13    product: windows
14detection:
15    selection:
16        TargetObject|contains:
17            - '\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\'
18            - '\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\'
19        TargetObject|endswith: '\Enabled'
20        Details: 'DWORD (0x00000001)'
21    condition: selection
22falsepositives:
23    - Legitimate enabling of the old tls versions due to incompatibility
24level: medium

References

Related rules

to-top