Commands for managing IOC scans

-T is a prefix indicating that the command belongs to the group of commands for managing application settings and tasks.

kesl-control --scan-ioc

The command starts a search for indicators of compromise on a device (IOC).

Command syntax

kesl-control [-T] --scan-ioc --path <path to directory or file> [--process on|off] [--hint <regular expression>] [--arpentry on|off] [--ports on|off] [--system on|off] [--files on|off] [--drives all|system|critical|custom] [--excludes <list of exclusions>] [--scope <list of directories>] [--action Skip|QuarantineFile|IsolateHost|ScanCriticalAreas]

Arguments and keys

--path <path to directory or file> – path to IOC file or directory with IOC files with the .IOC or .XML extension, which should be used to perform the scan.

You can specify multiple paths by separating them with a space. You can also specify both types of paths (path to a file and path to a directory).

--process – enable analysis of processes running on the device.

Possible arguments:

If you do not specify the --process option, the application analyzes processes only if the used IOC file specifies the details of these processes (ProcessItem).

--hint <regular expression> – regular expression that matches the full path to the file (FileItem) or executable file of the process (ProcessItem) to be analyzed.

You can use the following regular expression elements:

--arpentry – enable analysis of entries in the ARP table (ArpEntryItem).

Possible arguments:

If you do not specify the --arpentry option, the application analyzes the ARP table only if the used IOC file specifies the details of the ARP table (ArpEntryItem).

--ports – enable analysis of ports open for connection.

Possible arguments:

If you do not specify the --ports option, the application only analyzes ports if the used IOC file specifies the details of these ports (PortItem).

--system – enable analysis of the system environment.

Possible arguments:

If you do not specify the --system option, the application analyzes the system environment only if the used IOC file specifies details of the system environment (SystemInfoItem).

--files – enable file analysis.

Possible arguments:

If you do not specify the --files option, the application analyzes files only if the used IOC file specifies the details of those files (FileItem).

--drives – areas to be scanned.

Possible arguments:

If you do not specify the --drives option, the application analyzes files in user and system directories.

--excludes <list of exclusions> – list of paths excluded from scans.

The exclusions specified by this option are global and are valid regardless of the scope type or directory list. These exclusions take precedence over other command line options, including --hint and --scope.

Exclusions are specified as paths, but cannot contain recursive elements or wildcard characters (e.g. *).

If you do not specify the --excludes option, the scan is performed without exclusions.

You can specify multiple exclusions by separating them with a space.

--scope <list of directories> – list of additional directories to be scanned.

This option is required if you specified the custom argument for the --drives option.

--action – action performed when indicators of compromise are detected.

Possible arguments:

You can specify multiple actions by separating them with commas.

If you specify the Skip argument, do not add any other arguments. The Skip argument can only be used on its own.

Page top