Scan for indicators of compromise (standard task)

An Indicator of Compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to the computer (compromise of data). For example, many unsuccessful attempts to sign in to the system can constitute an Indicator of Compromise. The IOC Scan task allows finding Indicators of Compromise on the computer and taking threat response measures.

Kaspersky Endpoint Security searches for indicators of compromise using IOC files. IOC files are files containing the sets of indicators that the application tries to match to count a detection. IOC files must conform to the OpenIOC standard.

IOC Scan task run mode

Kaspersky Endpoint Detection and Response lets you create standard IOC Scan tasks to detect compromised data. Standard IOC scan task is a group or local task that is created and configured manually in the Web Console. Tasks are run using IOC files prepared by the user. If you want to add an indicator of compromise manually, please read the requirements for IOC files.

The file that you can download by clicking the link below, contains a table with the full list of IOC terms of the OpenIOC standard.

DOWNLOAD THE IOC_TERMS.XLSX FILE

Kaspersky Endpoint Security also supports stand-alone IOC scan tasks when the application is used as part of the Kaspersky Sandbox solution.

Creating IOC file

Starting with Kaspersky Endpoint Security 12.10 for Windows, you can create IOC files directly in the task settings. To create an IOC file, you must prepare a TXT file with a list of indicators of compromise. You can add lists of the following objects as indicators of compromise:

How to create IOC file in the Web Console

Creating an IOC Scan task

You can create IOC Scan tasks manually:

You can configure the task for EDR Optimum in Web Console and Cloud Console. Task settings for EDR Expert are available only in Cloud Console.

To create a IOC Scan task:

  1. In the main window of the Web Console, select Assets (Devices)Tasks.

    The list of tasks opens.

  2. Click Add.

    The Task Wizard starts.

  3. Configure the task settings:
    1. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.10.0).
    2. In the Task type drop-down list, select IOC Scan.
    3. In the Task name field, enter a brief description.
    4. In the Devices to which the task will be assigned block, select the task scope.
  4. Select devices according to the selected task scope option. Go to the next step.
  5. Enter the account credentials of the user whose rights you want to use to run the task. Go to the next step.

    By default, Kaspersky Endpoint Security starts the task as the system user account (SYSTEM).

    The system account (SYSTEM) does not have permission to perform the IOC Scan task on network drives. If you want to run the task for a network drive, select the account of a user that has access to that drive.

    For standalone IOC Scan tasks on network drives, in the task properties you need to manually select the user account that has access to this drive.

  6. Exit the Wizard.

    A new task will be displayed in the list of tasks.

  7. Click the new task.

    The task properties window opens.

  8. Select the Application settings tab.
  9. Go to the IOC Scan settings section.
  10. Upload the IOC files to search for indicators of compromise.

    After you upload the IOC files, the application displays summary information about the file, including the list of indicators that did not pass the check. After uploading IOC files, you can manually edit the files in the built-in editor directly in task properties. Kaspersky Endpoint Security supports editing IOC files that are compliant with the OpenIOC 1.1 standard. Editing OpenIOC 1.0 files is not possible.

    Kaspersky Endpoint Security adds IOC files to the IOC collection. If necessary, you can temporarily exclude IOC files from the task scope.

    Adding or removing IOC files after running the task is not recommended. This can cause the IOC scan results to display incorrectly for prior runs of the task. To search indicators of compromise by new IOC files, it is recommended to add new tasks.

  11. Configure actions on IOC detection:
    • Isolate computer from the network. If this option is selected, Kaspersky Endpoint Security isolates the computer from the network to prevent the threat from spreading. You can configure the duration of the isolation in Endpoint Detection and Response component settings.

      If this check box is cleared, you can isolate the computer from the network after running the task manually. If the IOC Scan task detects an IOC, you can isolate the computer from the network directly from the IOC (properties of the IOC Scan → Application settings → IOC Scan results task). Kaspersky Endpoint Security also allows immediately managing additional settings: Network isolation disablement period and Network isolation exclusions.

    • Move copy to Quarantine, delete object. If this option is selected, Kaspersky Endpoint Security deletes the malicious object found on the computer. Before deleting the object, Kaspersky Endpoint Security creates a backup copy in case the object needs to be restored later. Kaspersky Endpoint Security moves the backup copy to Quarantine.

      If this check box is cleared, you can quarantine the file manually after running the task manually. If the IOC Scan task detects a file that can compromise data, you can quarantine this file directly from IOC Scan results (Application settings → IOC Scan results). As a result, Kaspersky Endpoint Security starts the task creation wizard with preset data of the detected file. You only need to manage additional task settings, for example, set up the task schedule.

    • Run Critical Areas Scan. If this option is selected, Kaspersky Endpoint Security runs the Critical Areas Scan task. By default, Kaspersky Endpoint Security scans the kernel memory, running processes, and disk boot sectors.
  12. Go to the Advanced section.
  13. Select data types (IOC documents) that must be analyzed as part of the task.

    Kaspersky Endpoint Security automatically selects data types (IOC documents) for the IOC Scan task in accordance with the content of loaded IOC files. It is not recommended to deselect data types.

    You can additionally configure scan scopes for the following data types:

    • Files - FileItem. Set an IOC scan scope on the computer using preset scopes.

      By default, Kaspersky Endpoint Security scans for IOCs only in important areas of the computer, such as the Downloads folder, the desktop, the folder with temporary operating system files, etc. You can also manually add the scan scope.

    • Windows event logs - EventLogItem. Enter the time period when the events were logged. You can also select which Windows event logs must be used for IOC scanning. By default, the following event logs are selected: application event log, system event log, and security event log.
    • Windows registry - RegistryItem. Configure the IOC Scan scope in the registry.

      By default, Kaspersky Endpoint Security scans a set of registry keys.

  14. In the task properties window, select the Schedule tab.
  15. Configure the task schedule.

    Wake-on-LAN is not available for this task. Make sure the computer is turned on to run the task.

  16. Save your changes.
  17. Select the check box next to the task.
  18. Click Start.

As a result, Kaspersky Endpoint Security runs the search for indicators of compromise on the computer. You can view the results of the task in task properties in the Results section. You can view the information about detected indicators of compromise in the task properties: Application settingsIOC Scan results. In IOC Scan results, you can also manually quarantine the detected file or isolate the computer from the network.

IOC scan results are kept for 30 days. After this period, Kaspersky Endpoint Security automatically deletes the oldest entries.

Page top