Verify order of value of key

NahuelG 2022-11-18 16:56:48 UTC #1

Hi everyone!

I need a problem when i want to check the order of values of a key in registry.
The key “Function” in registry has a few values :
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256

etc…
For one control of CIS i need to check if the order its ok, how can i do that?

I have this query:
exists key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" whose (exists value "Functions" whose (it as string contains "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256") of it) of native registry

with that i cant check if those values exists, but i cant know if the order its correct. Can you help me with that?

Thank you!!

JasonWalker 2022-11-18 17:34:36 UTC #2

Assuming these are contiguous (these three values with nothing in between), we can check the value in the registry with

value "Functions" of key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" of registry as string

TLS_AES_256_GCM_SHA384%00TLS_AES_128_GCM_SHA256%00TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384%00TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256%00TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384%00TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256%00TLS_DHE_RSA_WITH_AES_256_GCM_SHA384%00TLS_DHE_RSA_WITH_AES_128_GCM_SHA256%00TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384%00TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256%00TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384%00TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256%00TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA%00TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA%00TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA%00TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA%00TLS_RSA_WITH_AES_256_GCM_SHA384%00TLS_RSA_WITH_AES_128_GCM_SHA256%00TLS_RSA_WITH_AES_256_CBC_SHA256%00TLS_RSA_WITH_AES_128_CBC_SHA256%00TLS_RSA_WITH_AES_256_CBC_SHA%00TLS_RSA_WITH_AES_128_CBC_SHA%00TLS_RSA_WITH_3DES_EDE_CBC_SHA%00TLS_RSA_WITH_NULL_SHA256%00TLS_RSA_WITH_NULL_SHA%00TLS_PSK_WITH_AES_256_GCM_SHA384%00TLS_PSK_WITH_AES_128_GCM_SHA256%00TLS_PSK_WITH_AES_256_CBC_SHA384%00TLS_PSK_WITH_AES_128_CBC_SHA256%00TLS_PSK_WITH_NULL_SHA384%00TLS_PSK_WITH_NULL_SHA256%00%00

This returns all of the REG_MULTI_SZ values concatenated together with the null character (%00) and terminated by two null characters (%00%00). So we can check that this string contains all three of your values, separated by %00, with

value "Functions" of key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" of registry as string contains "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384%00TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256%00TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256"

If these can appear with other values in between, it’s a little more complicated, but I think this should do it

exists (values "Functions" of key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" of registry as string) whose (it  contains "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384" and following text of first "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384" of it contains "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256" and following text of first "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256" of it contains "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256")