Identify Suspicious Certificates In Endpoints With Zero Keysize And No Signature Algorithm
Query
let DeviceInformation = DeviceInfo
| project DeviceId, DeviceName;
DeviceInformation
| join ( DeviceTvmCertificateInfo
| where KeySize == "0"
| where SignatureAlgorithm == ""
| extend TOCN = parse_json(IssuedTo).CommonName
| extend TOORG = parse_json(IssuedTo).Organization
| extend TOCountry = parse_json(IssuedTo).CountryName
| extend BYCN = parse_json(IssuedBy).CommonName
| extend BYORG = parse_json(IssuedBy).Organization
| extend BYCountry = parse_json(IssuedBy).CountryName
| project DeviceId, Thumbprint, TOCN, TOORG, TOCountry,
BYCN, BYORG, BYCountry
) on DeviceId
| project DeviceId, DeviceName, Thumbprint, TOCN,
TOORG, TOCountry, BYCN, BYORG, BYCountryAbout this query
Identify suspicious certificates in endpoints with zero keysize and no signature algorithm
Description
The following query leverages DeviceTvmCertificateInfo table which is available at the MDVM add-on license. Results provided include endpoints with certificates of zero keysize and no signature algorithm. A detected certificate lacks all the fundamental properties needed for secure communication and should be investigated.
Microsoft Defender XDR
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 14/9/2024 | Initial publish |
Explanation
This query is designed to identify suspicious certificates on endpoints that have a key size of zero and no signature algorithm, which are indicators of insecure certificates. Here's a simplified breakdown of what the query does:
- Device Information: It starts by creating a list of devices with their IDs and names from the
DeviceInfotable. - Certificate Information: It then looks at the
DeviceTvmCertificateInfotable to find certificates that have a key size of zero and no signature algorithm. - Extract Certificate Details: For these suspicious certificates, it extracts details such as the common name, organization, and country of both the entity the certificate was issued to and the entity that issued the certificate.
- Join Data: It joins the device information with the certificate information based on the device ID.
- Result: The final output includes the device ID, device name, certificate thumbprint, and the extracted certificate details.
This query helps in identifying and investigating certificates that lack essential security properties on various endpoints.
Details

Michalis Michalos
Released: September 13, 2024
Tables
Keywords
Operators