Merge pull request #561 from kevross33/patch-622144

kevoreilly · web-flow · commit 738769f94fa4 · 2026-04-29T16:42:22.000Z
Add FIPS query sig and rename crypto_apis.py to cryptography.py
diff --git a/modules/signatures/windows/cryptography.py b/modules/signatures/windows/cryptography.py
@@ -38,3 +38,43 @@ def on_call(self, _, process):
         if self.pid:
             self.mark_call()
         return True
+
+
+class QueryFipsReconnaissance(Signature):
+    name = "query_fips_reconnaissance"
+    description = "Queried the FIPS cryptography policy, can be used to adapt C2 network encryption or by legitimate encryption software"
+    severity = 2
+    confidence = 50
+    categories = ["discovery", "c2"]
+    authors = ["Kevin Ross"]
+    minimum = "1.3"
+    evented = True
+    ttps = ["T1082", "T1008"]
+
+    filter_apinames = {
+        "NtOpenKey", "NtOpenKeyEx", "NtQueryValueKey", "RegQueryValueExA", "RegQueryValueExW"
+    }
+
+    def __init__(self, *args, **kwargs):
+        Signature.__init__(self, *args, **kwargs)
+        self.ret = False
+        self.fips_events = set()
+
+    def on_call(self, call, process):
+        key_name = self.get_argument(call, "FullName") or self.get_argument(call, "ObjectAttributes") or ""
+        
+        if "lsa\\fipsalgorithmpolicy" in str(key_name).lower():
+            proc_name = process.get("process_name", "unknown")
+            pid = process.get("process_id", "unknown")
+            
+            event_msg = "{} (PID: {}) probed FIPS encryption policy at '{}'".format(proc_name, pid, key_name)
+            
+            if event_msg not in self.fips_events:
+                self.fips_events.add(event_msg)
+                self.mark_call()
+                self.ret = True
+
+    def on_complete(self):
+        if self.ret:
+            self.data.append({"behavioral_fips_reconnaissance": list(self.fips_events)})
+        return self.ret
