[Bro] Any thoughts on "Microsoft-CryptoAPI/10.0" user-agent?

Mike Patterson mike.patterson at uwaterloo.ca
Tue Feb 21 06:41:37 PST 2017

> On Feb 21, 2017, at 09:26, Seth Hall <seth at icir.org> wrote:
>> On Feb 21, 2017, at 8:40 AM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>> I am trying to figure out what Windows operating system version have
>> the user agent "Microsoft-CryptoAPI/10.0" when it accesses Microsoft Certificate Revocation List (CRL).
>> I am seeing good amount of these in software.log, where it ends up being "Unknown CryptoAPI Version" as the windows-version-detection.bro script doesn't have a mapping for that CryptoAPI.
> I suspect this is Windows 10.  Can someone out there validate that suspicion so we can add that to the windows version detection script?

I have Win10 down for CryptoAPI 6.4, along with Server 2016, but my notes there are pretty old (like, Win10 GA timeframe).

I'm now seeing CryptoAPI 10.0 as well, confirmed on several hosts as being Win10. Maybe there's a difference between editions? I can't easily find out what versions ours are.

>  .Set

+h? ;)


More information about the Bro mailing list