IOCSCAN. Scan for indicators of compromise (IOC)

Running the IOC Scan task. An Indicator of Compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to the computer (compromise of data). For example, many unsuccessful attempts to sign in to the system can constitute an Indicator of Compromise. The IOC Scan task allows finding Indicators of Compromise on the computer and taking threat response measures.

To run the command, go to the folder where the Kaspersky Endpoint Security executable file is located. You can also add the executable file path to the %PATH% system variable and run the command without navigating to the application folder.

Command syntax

avp.com IOCSCAN <full path to the IOC file>|/path=<path to the IOC files folder> [/process=on|off] [/hint=<full path to executable file of a process|full file path>] [/registry=on|off] [/dnsentry=on|off] [/arpentry=on|off] [/ports=on|off] [/services=on|off] [/system=on|off] [/users=on|off] [/volumes=on|off] [/eventlog=on|off] [/datetime=<event publication date>] [/channels=<list of channels>] [/files=on|off] [/drives=<all|system|critical|custom>] [/excludes=<list of exclusions>][/scope=<list of folders to scan>]

IOC files

 

<full path to the IOC file>

Full path to the IOC file that you want to use for scanning. You can specify multiple IOC files separated by spaces. The full path to the IOC file must be entered without the /path argument.

For example, C:\Users\Admin\Desktop\IOC\file1.ioc

/path=<path to the folder with IOC files>

Path to the folder with IOC files that you want to use for scanning. IOC files are files containing the sets of indicators that the application tries to match to count a detection. IOC files must conform to the OpenIOC standard.

For example, C:\Users\Admin\Desktop\IOC

Data type for IOC scanning

 

/process=on|off

Analyze process data when performing the IOC scan (ProcessItem term).

If the value of the argument is off, Kaspersky Endpoint Security does not analyze processes running on the computer when performing the scan. If the IOC file contains IOC terms of the ProcessItem IOC document, they are ignored (detected as no match).

If the argument is not specified, Kaspersky Endpoint Security analyzes process data only if the ProcessItem IOC document is described in the IOC file that is provided for the scan.

/hint=<full path to the executable file of the process|full path to the file>

Analyze file data when performing the IOC scan (ProcessItem and FileItem terms).

You can select a file in one of the following ways:

  • <full path to the executable file of the process> – ProcessItem term;
  • <full path to the file> – FileItem term.

/registry=on|off

Analyze Windows registry data when performing an IOC scan (RegistryItem term).

If the value of the argument is off, Kaspersky Endpoint Security does not scan the Windows registry. If the IOC file contains RegistryItem IOC document terms, they are ignored (detected as no match).

If the argument is not specified, Kaspersky Endpoint Security analyzes the Windows registry only if the RegistryItem IOC document is described in the IOC file that is provided for the scan.

For the RegistryItem data type, Kaspersky Endpoint Security scans a set of registry keys.

/dnsentry=on|off

Analyze the data about records in the local DNS cache when performing the IOC scan (DnsEntryItem term).

If the value of the argument is off, Kaspersky Endpoint Security does not scan the local DNS cache. If the IOC file contains DnsEntryItem IOC document terms, they are ignored (detected as no match).

If the argument is not specified, Kaspersky Endpoint Security analyzes the local DNS cache only if the DnsEntryItem IOC document is described in the IOC file that is provided for the scan.

/arpentry=on|off

Analyze the data about records in the ARP table when performing the IOC scan (ArpEntryItem term).

If the value of the argument is off, Kaspersky Endpoint Security does not scan the ARP table. If the IOC file contains ArpEntryItem IOC document terms, they are ignored (detected as no match).

If the argument is not specified, Kaspersky Endpoint Security analyzes the ARP table only if the ArpEntryItem IOC document is described in the IOC file that is provided for the scan.

/ports=on|off

Analyze data about ports open for listening when performing the IOC scan (PortItem term).

If the value of the argument is off, Kaspersky Endpoint Security does not scan the table of active connections on the device. If the IOC file contains PortItem IOC document terms, they are ignored (detected as no match).

If the argument is not specified, Kaspersky Endpoint Security analyzes the table of active connections only if the PortItem IOC document is described in the IOC file that is provided for the scan.

/services=on|off

Analyze data about services installed on the device when performing the IOC scan (ServiceItem term).

If the value of the argument is off, Kaspersky Endpoint Security does not scan the data about services installed on the device. If the IOC file contains ServiceItem IOC document terms, they are ignored (detected as no match).

If the argument is not specified, Kaspersky Endpoint Security analyzes service data only if the ServiceItem IOC document is described in the IOC file that is provided for the scan.

/system=on|off

Analyze environment data when performing the IOC scan (SystemInfoItem term).

If the value of the argument is off, Kaspersky Endpoint Security does not analyze environment data. If the IOC file contains SystemInfoItem IOC document terms, they are ignored (detected as no match).

If the argument is not specified, Kaspersky Endpoint Security analyzes environment data only if the SystemInfoItem IOC document is described in the IOC file that is provided for the scan.

/users=on|off

Analyze data about users when performing the IOC scan (UserItem term).

If the value of the argument is off, Kaspersky Endpoint Security does not analyze data about users created in the system. If the IOC file contains UserItem IOC document terms, they are ignored (detected as no match).

If the argument is not specified, Kaspersky Endpoint Security analyzes data about users created in the system only if the UserItem IOC document is described in the IOC file that is provided for the scan.

/volumes=on|off

Analyze data about volumes when performing the IOC scan (VolumeItem term).

If the value of the argument is off, Kaspersky Endpoint Security does not scan the data about volumes on the device. If the IOC file contains VolumeItem IOC document terms, they are ignored (detected as no match).

If the argument is not specified, Kaspersky Endpoint Security analyzes volume data only if the VolumeItem IOC document is described in the IOC file that is provided for the scan.

/eventlog=on|off

Analyze the data about records in the Windows event log when performing the IOC scan (EventLogItem term).

If the value of the argument is off, Kaspersky Endpoint Security does not scan the records in the Windows event log. If the IOC file contains EventLogItem IOC document terms, they are ignored (detected as no match).

If the argument is not specified, Kaspersky Endpoint Security analyzes the Windows event log if the EventLogItem IOC document is described in the IOC file that is provided for the scan.

/datetime=<event publication date>

Take into consideration the date when the event was published in the Windows event log when determining the IOC scan scope for the corresponding IOC document.

When performing an IOC scan, Kaspersky Endpoint Security scans Windows event log entries published during the period from the specified time and date to the moment when the task is run.

Kaspersky Endpoint Security allows specifying the event publication date as the value of the argument. The scan is performed only for events published in the Windows event log after the specified date and before the scan is run.

If the argument is not specified, Kaspersky Endpoint Security scans events with any publication date. The TaskSettings::BaseSettings::EventLogItem::datetime setting cannot be edited.

The setting is used only if the EventLogItem IOC document is described in the IOC file provided for the scan.

/channel=<list of channels>

List of channel (log) names for which you want to perform an IOC scan.

If the argument is specified, Kaspersky Endpoint Security scans records published in the specified logs. The IOC document must have the EventLogItem term described.

The name of the log is specified as a string in accordance with the name of the log (channel) specified in the properties of the log (the Full Name parameter) or in the event properties (the <Channel></Channel> parameter in the xml schema of the event). You can specify multiple channels separated by spaces.

If the argument is not specified, Kaspersky Endpoint Security scans records for channels Application, System, Security.

/files=on|off

Analyze file data when performing the IOC scan (FileItem term).

If the value of the argument is off, Kaspersky Endpoint Security does not analyze file data. If the IOC file contains FileItem IOC document terms, they are ignored (detected as no match).

If the argument is not specified, Kaspersky Endpoint Security analyzes file data only if the FileItem IOC document is described in the IOC file that is provided for the scan.

/drives=<all|system|critical|custom>

Set IOC scan scope when analyzing data for the FileItem IOC document.

You can set the following values for the scan scope:

  • <all> for all available file scopes.
  • <system> for files in folders where the operating system is installed.
  • <critical> for temporary files in user and system folders.
  • <custom> for files in user-defined scopes (/scope=<list of folders to scan>).

If the argument is not specified, the scan is performed for critical areas.

/excludes=<list of exclusions>

Set exclusion scope when analyzing data for the FileItem IOC document. You can specify multiple paths separated by spaces.

/scope=<list of folders to scan>

User-defined IOC scan scope when analyzing data for the FileItem IOC document (/drives=custom). You can specify multiple paths separated by spaces.

Command return values:

If the command was executed successfully (return value 0) and indicators of compromise were detected along the way, Kaspersky Endpoint Security outputs the following task result information to the command line:

Uuid

ID of the IOC file from the header of the IOC file structure (the <ioc id=""> tag)

Name

Description of the IOC file from the header of the IOC file structure (the <description></description> tag)

Matched Indicator Items

List of IDs of all matched indicators.

Matched objects

Data for each IOC document for which there was a match.

Page top