Detect undocumented system certificate: PinRules{EncodedCtl,LastSyncTime} - Windows 10 x86/x64 https://goo.gl/IoOH9V

windows-definitions_oval.xml

<?xml version="1.0" encoding="UTF-8"?> 
<oval_definitions 
  xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5  
  oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#windows  
  windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5  
  oval-common-schema.xsd" 
  xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"> 
  <generator>
    <oval:product_name>BLOCKBIT INTELLIGENCE LAB</oval:product_name>
    <oval:schema_version>5.10</oval:schema_version>
    <oval:timestamp>2018-05-04T12:45:11</oval:timestamp>
  </generator>
  
  <definitions>
    <definition id="oval:com.blockbit:def:6660" version="1" class="miscellaneous">
      <metadata>
        <title>Microsoft Windows 10: Undocumented Certificate Pinning Feature</title>
        <affected family="windows">
          <platform>Microsoft Windows 10</platform>
        </affected>
        <reference source="CPE" ref_url="https://cpe.mitre.org" ref_id="cpe:/o:microsoft:windows_10" />
        <description>The operating system installed on the system is Microsoft Windows 10 x64</description>
      </metadata>
      <criteria comment="Check if the System Certificates PinRulesEncodedCtl and PinRulesLastSyncTime Exists">
        <criterion test_ref="oval:com.blockbit:tst:666000" comment="Microsoft System Certificate PinRulesEncodedCtl is installed"  />
        <criterion test_ref="oval:com.blockbit:tst:666010" comment="Microsoft System Certificate PinRulesLastSyncTime is installed"/>
      </criteria>
    </definition>
  </definitions>
  
  <tests>
    <registry_test id="oval:com.blockbit:tst:666000" check_existence="at_least_one_exists" check="all" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:com.blockbit:obj:666000" />
      <state  state_ref="oval:com.blockbit:ste:666000"  />
    </registry_test>

    <registry_test id="oval:com.blockbit:tst:666010" check_existence="at_least_one_exists" check="all" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:com.blockbit:obj:666010" />
      <state  state_ref="oval:com.blockbit:ste:666010"  />
    </registry_test>
  </tests>

  <objects>
    <registry_object id="oval:com.blockbit:obj:666000" version="1" comment="Ensures the presence of the PinRulesEncodedCtl at following hive path" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <hive>HKEY_LOCAL_MACHINE</hive>
      <key>SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate</key>
      <name>PinRulesEncodedCtl</name>
    </registry_object>

    <registry_object id="oval:com.blockbit:obj:666010" version="1" comment="Ensures the presence of the PinRulesLastSyncTime at following hive path" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <hive>HKEY_LOCAL_MACHINE</hive>
      <key>SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate</key>
      <name>PinRulesLastSyncTime</name>
    </registry_object>
  </objects>

  <states>
    <registry_state id="oval:com.blockbit:ste:666000" version="1" comment="Compares the values with the PinRulesEncodedCtl encountered on operating system" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value datatype="string" operation="pattern match">3082.*</value>
    </registry_state>

    <registry_state id="oval:com.blockbit:ste:666010" version="1" comment="Compares the values with the PinRulesLastSyncTime encountered on operating system" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value datatype="binary" operation="equals">B6E26D62EFE3D301</value>
    </registry_state>
  </states>
</oval_definitions>

ID	System Certificate
666000	PinRulesEncodedCtl
666010	PinRulesLastSyncTime

C:\Users\slayer\Desktop\ovaldi-5.10.1.7>ovaldi.exe -m -o xml\definitions\definition5-10_blockbit.xml

----------------------------------------------------
OVAL Definition Interpreter
Version: 5.10.1 Build: 7
Build date: Apr 10 2014 06:35:51
Copyright (c) 2002-2014 - The MITRE Corporation
----------------------------------------------------

Start Time: Fri May 04 21:06:47 2018

 ** parsing xml\definitions\definition5-10_blockbit.xml file.
    - validating xml schema.
 ** checking schema version
     - Schema version - 5.10
 ** skipping Schematron validation
 ** creating a new OVAL System Characteristics file.
 ** gathering data for the OVAL definitions.
      Collecting object:  FINISHED
 ** saving data model to system-characteristics.xml.
 ** running the OVAL Definition analysis.
      Analyzing definition:  FINISHED
 ** applying directives to OVAL results.
 ** OVAL definition results.

    OVAL Id                                 Result
    -------------------------------------------------------
    oval:com.blockbit:def:6660              true
    -------------------------------------------------------


 ** finished evaluating OVAL definitions.

 ** saving OVAL results to results.xml.
 ** running OVAL Results xsl: xml\results_to_html.xsl.

----------------------------------------------------

C:\Users\slayer\Desktop\ovaldi-5.10.1.7>

Note: redist 2010 x86 is required to execute the "ovaldi.exe".