KQL Search

Query Details

HomeAI ToolsDevice Query

Identify Suspicious Certificates In Endpoints With Zero Keysize And No Signature Algorithm

Query

# Identify suspicious certificates in endpoints with zero keysize and no signature algorithm

## Description

The following query leverages DeviceTvmCertificateInfo table which is available at the MDVM add-on license. Results provided include endpoints with certificates of zero keysize and no signature algorithm. A detected certificate lacks all the fundamental properties needed for secure communication and should be investigated.

### Microsoft Defender XDR
```
let DeviceInformation = DeviceInfo
    | project DeviceId, DeviceName;
DeviceInformation
| join ( DeviceTvmCertificateInfo
    | where KeySize == "0"
    | where SignatureAlgorithm == ""
    | extend TOCN = parse_json(IssuedTo).CommonName
    | extend TOORG = parse_json(IssuedTo).Organization
    | extend TOCountry = parse_json(IssuedTo).CountryName 
    | extend BYCN = parse_json(IssuedBy).CommonName
    | extend BYORG = parse_json(IssuedBy).Organization
    | extend BYCountry = parse_json(IssuedBy).CountryName
    | project DeviceId, Thumbprint, TOCN, TOORG, TOCountry, 
        BYCN, BYORG, BYCountry
) on DeviceId
| project DeviceId, DeviceName, Thumbprint, TOCN,
    TOORG, TOCountry, BYCN, BYORG, BYCountry
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 14/9/2024     | Initial publish                        |

Explanation

This query is designed to identify suspicious certificates on endpoints that have a key size of zero and no signature algorithm, which are indicators of insecure certificates. Here's a simplified breakdown of what the query does:

  1. Device Information: It starts by creating a list of devices with their IDs and names from the DeviceInfo table.
  2. Certificate Information: It then looks at the DeviceTvmCertificateInfo table to find certificates that have a key size of zero and no signature algorithm.
  3. Extract Certificate Details: For these suspicious certificates, it extracts details such as the common name, organization, and country of both the entity the certificate was issued to and the entity that issued the certificate.
  4. Join Data: It joins the device information with the certificate information based on the device ID.
  5. Result: The final output includes the device ID, device name, certificate thumbprint, and the extracted certificate details.

This query helps in identifying and investigating certificates that lack essential security properties on various endpoints.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: September 13, 2024

Tables

DeviceInfoDeviceTvmCertificateInfo

Keywords

Devices

Operators

letprojectjoinwhereextendparse_jsonon

Actions