LoFP / legitimate enabling of the old tls versions due to incompatibility

Techniques

Sample rules

Old TLS1.0/TLS1.1 Protocol Version Enabled

• source: sigma
• technicques:

Description

Detects applications or users re-enabling old TLS versions by setting the “Enabled” value to “1” for the “Protocols” registry key.

Detection logic

condition: selection
selection:
  Details: DWORD (0x00000001)
  TargetObject|contains:
  - \Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\
  - \Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\
  TargetObject|endswith: \Enabled