5063 A cryptographic provider operation was attempted
Written when an operation on a cryptographic provider is attempted. It captures registration of and operations on cryptographic modules (providers).
Overview
The subcategory is Audit Other Policy Change Events. It is generated when an operation (registration, configuration, etc.) on a cryptographic provider (a module implementing cryptographic algorithms; CSP/KSP, etc.) is attempted. There are success (S) and failure (F) variants.
How it is triggered
- Registration, configuration change, or operation of a cryptographic provider.
Security review points
- Registering a rogue cryptographic provider can insert a custom module into the authentication/crypto path and be used for credential theft or a backdoor (a concern similar to SSP/authentication packages 4610/4622). Note unexpected provider operations.
- Together with related crypto provider registration events (the 5064-5070 family), track changes to the provider configuration.
Notes for log review
- It is normally rare. Know the legitimate components that register/change cryptographic providers and check operations by anything else.
- Investigate registration/operation of unfamiliar providers at high priority.
Key fields
| Field | Meaning |
|---|---|
Provider Name | The cryptographic provider in question |
Operation | The operation type |
Subject | The acting subject |