Searching for indicators of compromise in the command line

You can scan for indicators of compromise using the IOC Scan task on the command line only when integrated with Kaspersky Endpoint Detection and Response Optimum. When integrated with Kaspersky Endpoint Detection and Response (KATA), the IOC scan is performed in the Kaspersky Endpoint Detection and Response (KATA) solution.

To create, configure, and run an IOC Scan task from the command line, run the following command:

kesl-control [-T] --scan-ioc --path <path to directory or file> [--process on|off] [--hint <regular expression>] [--arpentry on|off] [--ports on|off] [--system on|off] [--files on|off] [--drives all|system|critical|custom] [--excludes <list of exclusions>] [--scope <list of directories>] [--action Skip|QuarantineFile|IsolateHost|ScanCriticalAreas]

where:

• --path <path to directory or file> – path to IOC file or directory with IOC files with the .IOC or .XML extension, which should be used to perform the scan.

  You can specify multiple paths by separating them with a space. You can also specify both types of paths (path to a file and path to a directory).

• --process – enable analysis of processes running on the device.

  Possible arguments:

  • on – enable analysis of processes running on the device (default value).
  • off – disable analysis of processes running on the device.

  If you do not specify the --process option, the application analyzes processes only if the used IOC file specifies the details of these processes (ProcessItem).

• --hint <regular expression> – regular expression that matches the full path to the file (FileItem) or executable file of the process (ProcessItem) to be analyzed.

  You can use the following regular expression elements:

  • meta characters: . ^ $ |
  • character classes: digit, alpha, lower, upper, cntrl
  • quantifiers: * + ? {n} {n,} {n, m}
  • negation: [^a-c]
  • escaped characters: \a \e \f, \n \r \t \v \b
• --arpentry – enable analysis of entries in the ARP table (ArpEntryItem).

  Possible arguments:

  • on – enable analysis of entries in the ARP table (default value).
  • off – disable analysis of entries in the ARP table.

  If you do not specify the --arpentry option, the application analyzes the ARP table only if the used IOC file specifies the details of the ARP table (ArpEntryItem).

  --ports – enable analysis of ports open for connection.

  Possible arguments:

  • on – enable analysis of ports open for connection and scan active connections on the device (default value).
  • off – disable analysis of ports open for connection and do not scan active connections on the device.

  If you do not specify the --ports option, the application only analyzes ports if the used IOC file specifies the details of these ports (PortItem).

• --system – enable analysis of the system environment.

  Possible arguments:

  • on – enable analysis of the system environment (default value).
  • off – disable analysis of the system environment.

  If you do not specify the --system option, the application analyzes the system environment only if the used IOC file specifies details of the system environment (SystemInfoItem).

• --files – enable file analysis.

  Possible arguments:

  • on – enable file analysis (default value).
  • off – disable file analysis.

  If you do not specify the --files option, the application analyzes files only if the used IOC file specifies the details of those files (FileItem).

• --drives – areas to be scanned.

  Possible arguments:

  • all – check all available file areas.
  • system – scan only files located in the directories where the operating system is installed.
  • critical – scan files in user and system directories (default value).
  • custom – scan only files in the areas you specify.

  If you do not specify the --drives option, the application analyzes files in user and system directories.

• --excludes <list of exclusions> – list of paths excluded from scans.

  The exclusions specified by this option are global and are valid regardless of the scope type or directory list. These exclusions take precedence over other command line options, including --hint and --scope.

  Exclusions are specified as paths, but cannot contain recursive elements or wildcard characters (e.g. *).

  If you do not specify the --excludes option, the scan is performed without exclusions.

  You can specify multiple exclusions by separating them with a space.

• --scope <list of directories> – list of additional directories to be scanned.

  This option is required if you specified the custom argument for the --drives option.

• --action – action performed when indicators of compromise are detected.

  Possible arguments:

  • Skip – the application will not perform any actions with the detected object, but information about it will be saved in the task execution results (default value).
  • QuarantineFile – the application will quarantine the detected object.
  • IsolateHost – the application imposes network isolation on the device on which the object is detected.
  • ScanCriticalAreas – the application will perform scan critical areas.
    • /lib/systemd
    • /lib/udev
    • /lib/dbus-1.0
    • /usr/local/lib/systemd/user
    • /usr/share/dbus-1
    • /usr/share/gdm/autostart
    • /usr/share/gnome/autostart
    • /var/spool/at
    • /var/spool/at/spool
    • /var/spool/anacron
    • /var/spool/cron
    • /boot
    • /bin
    • /sbin
    • /lib
    • /lib32
    • /lib64
    • /libx32
    • /usr/lib
    • /usr/lib32
    • /usr/lib64
    • /usr/libx32
    • ~/.config/autostart
    • ~/.config/autostart-scripts
    • ~/.config/plasma-workspace/env
    • ~/.config/plasma-workspace/shutdown
    • ~/.config/lxsession
    • ~/.fluxbox/startup
    • ~/.kde/Autostart
    • /etc

  You can specify multiple actions by separating them with commas.

  If you specify the Skip argument, do not add any other arguments. The Skip argument can only be used on its own.

Page top