Any thoughts on "Microsoft-CryptoAPI/10.0" user-agent?

Hello,

I am trying to figure out what Windows operating system version have
the user agent “Microsoft-CryptoAPI/10.0” when it accesses Microsoft Certificate Revocation List (CRL).

I am seeing good amount of these in software.log, where it ends up being “Unknown CryptoAPI Version” as the windows-version-detection.bro script doesn’t have a mapping for that CryptoAPI.

Therefore was thinking if anyone knows more about this user agent and what information we can
infer about the OS from it.

Appreciate the help.

Thanks,
Fatema.

I suspect this is Windows 10. Can someone out there validate that suspicion so we can add that to the windows version detection script?

  .Set

Confirmed with a virtual machine I have running Windows 10.

- Keith

I am trying to figure out what Windows operating system version have
the user agent "Microsoft-CryptoAPI/10.0" when it accesses Microsoft Certificate Revocation List (CRL).

I am seeing good amount of these in software.log, where it ends up being "Unknown CryptoAPI Version" as the windows-version-detection.bro script doesn't have a mapping for that CryptoAPI.

I suspect this is Windows 10. Can someone out there validate that suspicion so we can add that to the windows version detection script?

I have Win10 down for CryptoAPI 6.4, along with Server 2016, but my notes there are pretty old (like, Win10 GA timeframe).

I'm now seeing CryptoAPI 10.0 as well, confirmed on several hosts as being Win10. Maybe there's a difference between editions? I can't easily find out what versions ours are.

.Set

+h? :wink:

Mike

Thanks Seth, Mike and Keith for the confirmation, will update the script to log it as win10 system! :slight_smile:

Regards,
Fatema.

Thanks everyone. It's in master now.
  https://github.com/bro/bro/commit/205a28bad8714a19b37080f069034868ee6dda9e

  .Seth