Skip to content

Instantly share code, notes, and snippets.

@slayerlab

slayerlab/windows-definitions_oval.xml

Last active May 5, 2018 00:35
Show Gist options
  • Save slayerlab/473e3ccf83a4a3e8c4b70fa4e4c77819 to your computer and use it in GitHub Desktop.
Save slayerlab/473e3ccf83a4a3e8c4b70fa4e4c77819 to your computer and use it in GitHub Desktop.
Download ZIP
Detect undocumented system certificate: PinRules{EncodedCtl,LastSyncTime} - Windows 10 x86/x64 https://goo.gl/IoOH9V
Raw
windows-definitions_oval.xml
<?xml version="1.0" encoding="UTF-8"?>
<oval_definitions
xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5
oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#windows
windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5
oval-common-schema.xsd"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5">
<generator>
<oval:product_name>BLOCKBIT INTELLIGENCE LAB</oval:product_name>
<oval:schema_version>5.10</oval:schema_version>
<oval:timestamp>2018-05-04T12:45:11</oval:timestamp>
</generator>
<definitions>
<definition id="oval:com.blockbit:def:6660" version="1" class="miscellaneous">
<metadata>
<title>Microsoft Windows 10: Undocumented Certificate Pinning Feature</title>
<affected family="windows">
<platform>Microsoft Windows 10</platform>
</affected>
<reference source="CPE" ref_url="https://cpe.mitre.org" ref_id="cpe:/o:microsoft:windows_10" />
<description>The operating system installed on the system is Microsoft Windows 10 x64</description>
</metadata>
<criteria comment="Check if the System Certificates PinRulesEncodedCtl and PinRulesLastSyncTime Exists">
<criterion test_ref="oval:com.blockbit:tst:666000" comment="Microsoft System Certificate PinRulesEncodedCtl is installed" />
<criterion test_ref="oval:com.blockbit:tst:666010" comment="Microsoft System Certificate PinRulesLastSyncTime is installed"/>
</criteria>
</definition>
</definitions>
<tests>
<registry_test id="oval:com.blockbit:tst:666000" check_existence="at_least_one_exists" check="all" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<object object_ref="oval:com.blockbit:obj:666000" />
<state state_ref="oval:com.blockbit:ste:666000" />
</registry_test>
<registry_test id="oval:com.blockbit:tst:666010" check_existence="at_least_one_exists" check="all" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<object object_ref="oval:com.blockbit:obj:666010" />
<state state_ref="oval:com.blockbit:ste:666010" />
</registry_test>
</tests>
<objects>
<registry_object id="oval:com.blockbit:obj:666000" version="1" comment="Ensures the presence of the PinRulesEncodedCtl at following hive path" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate</key>
<name>PinRulesEncodedCtl</name>
</registry_object>
<registry_object id="oval:com.blockbit:obj:666010" version="1" comment="Ensures the presence of the PinRulesLastSyncTime at following hive path" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate</key>
<name>PinRulesLastSyncTime</name>
</registry_object>
</objects>
<states>
<registry_state id="oval:com.blockbit:ste:666000" version="1" comment="Compares the values with the PinRulesEncodedCtl encountered on operating system" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<value datatype="string" operation="pattern match">3082.*</value>
</registry_state>
<registry_state id="oval:com.blockbit:ste:666010" version="1" comment="Compares the values with the PinRulesLastSyncTime encountered on operating system" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<value datatype="binary" operation="equals">B6E26D62EFE3D301</value>
</registry_state>
</states>
</oval_definitions>
@slayerlab
Copy link
Author

slayerlab commented Oct 31, 2016
edited

ID System Certificate
666000 PinRulesEncodedCtl
666010 PinRulesLastSyncTime 
C:\Users\slayer\Desktop\ovaldi-5.10.1.7>ovaldi.exe -m -o xml\definitions\definition5-10_blockbit.xml

----------------------------------------------------
OVAL Definition Interpreter
Version: 5.10.1 Build: 7
Build date: Apr 10 2014 06:35:51
Copyright (c) 2002-2014 - The MITRE Corporation
----------------------------------------------------

Start Time: Fri May 04 21:06:47 2018

 ** parsing xml\definitions\definition5-10_blockbit.xml file.
    - validating xml schema.
 ** checking schema version
     - Schema version - 5.10
 ** skipping Schematron validation
 ** creating a new OVAL System Characteristics file.
 ** gathering data for the OVAL definitions.
      Collecting object:  FINISHED
 ** saving data model to system-characteristics.xml.
 ** running the OVAL Definition analysis.
      Analyzing definition:  FINISHED
 ** applying directives to OVAL results.
 ** OVAL definition results.

    OVAL Id                                 Result
    -------------------------------------------------------
    oval:com.blockbit:def:6660              true
    -------------------------------------------------------


 ** finished evaluating OVAL definitions.

 ** saving OVAL results to results.xml.
 ** running OVAL Results xsl: xml\results_to_html.xsl.

----------------------------------------------------

C:\Users\slayer\Desktop\ovaldi-5.10.1.7>

Note: redist 2010 x86 is required to execute the "ovaldi.exe".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment