Scan for indicators of compromise (IOC)

An Indicator of Compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to the computer (compromise of data). For example, many unsuccessful attempts to sign in to the system can constitute an Indicator of Compromise.

IOC Scan task is a group or local task that uses IOC files containing a set of indicators of compromise. In case of a match indicators of compromise, the application performs the action specified in the properties of the IOC Scan task.

If you want to add indicators of compromise manually, please read the requirements for IOC files.

You can create IOC Scan tasks in the following ways:

In alert details.
Alert Details is a tool for viewing the entirety of collected information about a detected threat. Alert details include, for example, the history of files appearing on the computer. For more information about managing alert details, refer to the Kaspersky Endpoint Detection and Response Optimum Help.
In the Web Console.
On the command line.

How to create, configure, and start the IOC Scan task in the Kaspersky Security Center Web Console

In the main window of the Web Console, select Assets (Devices) → Tasks.
The list of tasks opens.
Click Add.
The Task Wizard starts.
Configure the task settings:
1. In the Application drop-down list, select Kaspersky Industrial CyberSecurity for Nodes.
2. In the Task type drop-down list, select IOC Scan.
3. If necessary, edit the task name in the Task name field.
4. In the Devices to which the task will be assigned block, select the task scope.
Select devices according to the selected task scope option.
Enter the account credentials of the user whose rights you want to use to run the task.
By default, Kaspersky Industrial CyberSecurity for Nodes starts the task as the system user account (SYSTEM).

The system account (SYSTEM) does not have permission to perform the IOC Scan task on network drives. If you want to run the task for a network drive, select the account of a user that has access to that drive.
Complete the wizard operation.
The created task is displayed in the list of tasks.
Click the name of the created task.
The task properties window opens.
Select the Application settings tab.
Go to the IOC Scan settings section.
Load the IOC files to search for indicators of compromise.
We do not recommend adding or removing IOC files after starting the task. This can cause the IOC scan results to display incorrectly for prior runs of the task. To search for indicators of compromise with new IOC files, we recommend adding new tasks.
If necessary, configure Retrospective IOC Scan. In this mode of the IOC Scan task, Kaspersky Industrial CyberSecurity for Nodes searches for indicators of compromise in data of protected devices received over the specified period of time. The application analyzes data in operating system logs and browser logs installed on the protected computer.
To start the task in Retrospective IOC Scan mode, the uploaded IOC files must include one of or more terms from this list: FileItem/*, Network/*, PortItem/*, ProcessItem/*, RegistryItem/*, UrlHistoryItem/*.

Do the following:
1. Select the Enable Retrospective IOC Scan check box.
2. Specify the time period for the search in days. The maximum value is 14 days.
  While running the task, the application analyzes information collected for the specified period, starting from the time when the task was started.
  
  The default setting is 1 day.
3. In the Advanced section of task properties, make sure that check boxes are selected for all data types mentioned in the uploaded IOC file.
4. If the uploaded IOC file contains an indicator of compromise with the Network/* term, select the check box next to the Network data - NetworkItem data type, which is cleared by default.
The IOC Scan task starts in the retrospective scanning mode. In this mode, for each file, the application publishes normal task results and retrospective IOC scan results.

Kaspersky Industrial CyberSecurity for Nodes displays the PID and UPID fields only for retrospective scan results. Also, if extended telemetry is disabled, retrospective IOC scanning has the following limitations:
- The application does not populate the Created, Modified, Changed, Accessed, FileAttributes fields for FileItem records.
- For existing files that have not been executed, the Md5sum, Sha256sum, SizeInBytes fields in retroscan results are set to 0.
- For detected files that have been deleted, the application does not compute a hash.
If necessary, configure the actions to be performed by Kaspersky Industrial CyberSecurity for Nodes when it detects an indicator of compromise.
1. Select the Take response actions after an IOC is found check box.
2. Select check box next to the actions to be performed by Kaspersky Industrial CyberSecurity for Nodes when it detects an indicator of compromise:
  - Isolate computer from the network. If this option is selected, Kaspersky Industrial CyberSecurity for Nodes isolates the computer from the network to prevent the threat from spreading. You can configure the duration of the isolation in Endpoint Detection and Response (KSC) component settings.
  - Move copy to Quarantine, delete object. If this option is selected, Kaspersky Industrial CyberSecurity for Nodes deletes the malicious object found on the computer. Before deleting an object, Kaspersky Industrial CyberSecurity for Nodes creates a backup copy and places it in quarantine.
  - Run Critical Areas Scan. If this option is selected, Kaspersky Industrial CyberSecurity for Nodes runs the predefined task: Critical Areas Scan.
Go to the Advanced section.
Select data types (IOC documents) that must be analyzed as part of the task.
Kaspersky Industrial CyberSecurity for Nodes automatically selects data types (IOC documents) for the IOC Scan task in accordance with the content of loaded IOC files. We do not recommend clearing the selection of data types on your own.

For the Windows registry - RegistryItem data type, Kaspersky Industrial CyberSecurity for Nodes analyses a predefined set of registry keys.
If necessary, specify additional settings for the Files - FileItem data type.
1. Click IOC files.
  The File scan settings - FileItem window opens.
2. Under Search for IOC in the following areas, select data that you want to be analyzed by the task.
3. Under Scan custom areas, select areas on disks of the protected device in which you want to look for indicators for compromise.
  By default, Kaspersky Industrial CyberSecurity for Nodes scans for IOCs only in important areas of the computer, such as the Downloads folder, the desktop, the folder with temporary operating system files, etc. You can specify your own paths to the areas that you need.
4. Click OK.
If necessary, specify additional settings for the Windows event logs - EventLogItem data type.
1. Click Logs and dates.
  The Windows event log scan settings - EventLogItem window opens.
2. To have the task ignore events that were registered before a certain moment, select the Scan only events that are logged within the specified period check box and specify the date and time.
3. Under Scan events that belong to the following channels, select Windows event logs you want to be analyzed by the task.
4. Click OK.
In the task properties window, select the Schedule tab.
Configure the task schedule.
Save your changes.
Select the check box next to the task.
Click Start.

How to configure and start the IOC Scan task on the command line

On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
Using the cd command, navigate to the folder where the kavshell.exe file is located.
For example: cd C:\Program Files (x86)\Kaspersky Lab\Kaspersky Industrial CyberSecurity for Nodes.4.5.0
Enter the command:
KAVSHELL SCAN-IOC <full path to IOC file> [/PATH:<path to a folder with IOC files>] [/PROCESS=no] [/HINT=<full path to the executable file of the process|full path to the file>] [/REGISTRY=no] [/DNSENTRY=no] [/ARPENTRY=no] [/PORTS=no] [/SERVICES=no] [/SYSTEM=no] [/USERS=no] [/VOLUMES=no] [/EVENTLOG=no] [/DATETIME=<event publication date>] [/CHANNELS=<list of channels>] [/FILES=no] [/DRIVES=<all|system|critical|custom>] [/NETWORK=no] [/URL=no] [/EMAIL=no] [/ROUTE=no] [/RETRO] [/EXCLUDES=<list of exclusions>] [/SCOPE=<configurable list of folders>]

Press Enter.

Command line options for configuring and starting an IOC Scan task

Options	Description
`SCAN-IOC`	Required argument. Starts the standard IOC scan task on the device.
`<full path to IOC file>`	full path to the IOC file with the ioc or xml extension that you want to use for the search. Required argument if the `/PATH:<path to the folder with IOC files>` parameter is not specified.
`/PATH:<path to a folder with IOC files>`	Path to the folder with IOC files that you want to use for scanning. Required argument if `<full path to IOC file>` is not specified.
`/PROCESS=no`	Optional argument. Disable process information analysis during the scan. If the value of the argument is `<no>`, Kaspersky Industrial CyberSecurity for Nodes does not analyze processes running on the computer when performing the scan. If the IOC file contains IOC terms of the ProcessItem IOC document, they are ignored (detected as no match). If this argument is not specified, Kaspersky Industrial CyberSecurity for Nodes analyzes process data only if the ProcessItem IOC document is described in the IOC file that is provided for the scan.
`/HINT=<full path to the executable file of the process\|full path to the file>`	Optional argument. This argument allows narrowing down the scope of analyzed data for scans using ProcessItem and FileItem IOC documents by specifying an individual file. You can pass the following as the value of this argument: `<full path to executable file of the process` `(ProcessItem)>` – ProcessItem `<full path to file>` – FileItem This argument can only be passed in conjunction with the `/PROCESS=yes` and `/FILES=yes` arguments.
`/REGISTRY=no`	Optional argument. This argument disables the analysis of registry keys (IOC document RegistryItem) during the IOC scan. If the value of the argument is `<no>`, Kaspersky Industrial CyberSecurity for Nodes does not analyze information about registry keys. If the IOC file contains RegistryItem IOC document terms, they are ignored (detected as no match). If this argument is not specified, Kaspersky Industrial CyberSecurity for Nodes analyzes the registry only if the RegistryItem IOC document is described in the IOC file that is provided for the scan.
`/DNSENTRY=no`	Optional argument. This argument disables the analysis of local DNS cache records (IOC document DnsEntryItem) during the IOC scan. If the value of the argument is `<no>`, Kaspersky Industrial CyberSecurity for Nodes does not scan the local DNS cache. If the IOC file contains DnsEntryItem IOC document terms, they are ignored (detected as no match). If this argument is not specified, Kaspersky Industrial CyberSecurity for Nodes scans local DNS cache only if the DnsEntryItem IOC document is described in the IOC file that is provided for the scan.
`/ARPENTRY=no`	Optional argument. This argument disables the analysis of local ARP table records (IOC document ArpEntryItem) during the IOC scan. If the value of the argument is `<no>`, Kaspersky Industrial CyberSecurity for Nodes does not scan the local ARP table. If the IOC file contains ArpEntryItem IOC document terms, they are ignored (detected as no match). If this argument is not specified, Kaspersky Industrial CyberSecurity for Nodes scans the local ARP table only if the ArpEntryItem IOC document is described in the IOC file that is provided for the scan.
`/PORTS=no`	Optional argument. This argument disables the analysis of information about ports being listened on (IOC document PortItem) during the IOC scan. If the value of the argument is `<no>`, Kaspersky Industrial CyberSecurity for Nodes does not scan the table of active connections on the device. If the IOC file contains PortItem IOC document terms, they are ignored (detected as no match). If this argument is not specified, Kaspersky Industrial CyberSecurity for Nodes scans the table of active connections only if the PortItem IOC document is described in the IOC file that is provided for the scan.
`/SERVICES=no`	Optional argument. This argument disables the analysis of information about services installed on the device (IOC document ServiceItem) during the IOC scan. If the value of the argument is `<no>`, Kaspersky Industrial CyberSecurity for Nodes does not scan the information about services installed on the device. If the IOC file contains ServiceItem IOC document terms, they are ignored (detected as no match). If this argument is not specified, Kaspersky Industrial CyberSecurity for Nodes analyzes service information only if the ServiceItem IOC document is described in the IOC file that is provided for the scan.
`/SYSTEM=no`	Optional argument. This argument disables the analysis of information about the environment (IOC document SystemInfoItem) during the IOC scan. If the value of the argument is `<no>`, Kaspersky Industrial CyberSecurity for Nodes does not analyze information about the environment. If the IOC file contains SystemInfoItem IOC document terms, they are ignored (detected as no match). If this argument is not specified, Kaspersky Industrial CyberSecurity for Nodes analyzes environment information only if the SystemInfoItem IOC document is described in the IOC file that is provided for the scan.
`/USERS=no`	Optional argument. This argument disables the analysis of information about users (IOC document UserItem) during the IOC scan. If the value of the argument is `<no>`, Kaspersky Industrial CyberSecurity for Nodes does not analyze information about users created in the system. If the IOC file contains UserItem IOC document terms, they are ignored (detected as no match). If this argument is not specified, Kaspersky Industrial CyberSecurity for Nodes analyzes information about users created in the system only if the UserItem IOC document is described in the IOC file that is provided for the scan.
`/VOLUMES=no`	Optional argument. This argument disables the analysis of information about volumes (IOC document VolumeItem) during the IOC scan. If the value of the argument is `<no>`, Kaspersky Industrial CyberSecurity for Nodes does not scan the information about volumes on the device. If the IOC file contains VolumeItem IOC document terms, they are ignored (detected as no match). If this argument is not specified, Kaspersky Industrial CyberSecurity for Nodes analyzes volume information only if the VolumeItem IOC document is described in the IOC file that is provided for the scan.
`/EVENTLOG=no`	Optional argument. This argument disables the analysis of Windows Event Log records (IOC document EventLogItem) during the IOC scan. If the value of the argument is `<no>`, Kaspersky Industrial CyberSecurity for Nodes does not scan Windows Event Log records. If the IOC file contains EventLogItem IOC document terms, they are ignored (detected as no match). If this argument is not specified, Kaspersky Industrial CyberSecurity for Nodes analyzes Windows Event Log records only if the EventLogItem IOC document is described in the IOC file that is provided for the scan.
`/DATETIME=<event publication date>`	Optional argument. The parameter allows enabling or disabling the consideration the date when the event was published in the Windows event log when determining the IOC scan scope for the corresponding IOC document. When performing an IOC scan, Kaspersky Industrial CyberSecurity for Nodes scans only those events that were published during the period from the specified time and date to the moment when the task is run. Kaspersky Industrial CyberSecurity for Nodes allows specifying the event publication date as the value of the argument. The scan is performed only for events published in the Windows event log after the specified date and before the scan is run. If the argument is not specified, Kaspersky Industrial CyberSecurity for Nodes scans events with any publication date. The setting is used only if the EventLogItem IOC document is described in the IOC file provided for the scan.
`/CHANNELS=<list of channels>`	Optional argument. This argument lets you pass a list of channel (log) names for which you want to perform an IOC scan. If this argument is passed, when running the IOC scan task, Kaspersky Industrial CyberSecurity for Nodes considers only events that have been published in the specified logs. The name of the log is specified as a string in accordance with the name of the log (channel) specified in the properties of the log (the Full Name parameter) or in the event properties (the <Channel></Channel> parameter in the xml schema of the event). By default (including the case when this argument is not passed), the IOC scan is performed for the Application, System and Security channels. You can pass multiple values in this argument (space-separated). The setting is used only if the EventLogItem IOC document is described in the IOC file provided for the scan.
`/FILES=no`	Optional argument. This argument disables the analysis of information about files (IOC document FileItem) during the IOC scan. If the value of the argument is `<no>`, Kaspersky Industrial CyberSecurity for Nodes does not analyze information about files. If the IOC file contains FileItem IOC document terms, they are ignored (detected as no match). If this argument is not specified, Kaspersky Industrial CyberSecurity for Nodes analyzes file information only if the FileItem IOC document is described in the IOC file that is provided for the scan.
`/DRIVES=<all\|system\|critical\|custom>`	Optional argument. This argument lets you specify the IOC scan scope when analyzing data for the FileItem IOC document. You can use one of the following values: `<all>` makes the application scan all available file areas. `<system>` makes the application scan only the files in folders in which the operating system is installed. `<critical>` makes the application scan only temporary files in user and system folders. `<custom>` makes the application scan only files in user-specified scopes. If the argument is not specified, critical areas are scanned.
`/NETWORK=no`	Optional argument. This argument disables the scan for threats based on the Network IOC document during the IOC scan. If the value of the argument is <no>, Kaspersky Industrial CyberSecurity for Nodes does not scan for threats based on the Network IOC document. If the IOC file contains terms of the Network IOC document, they are ignored (detected as no match). If this argument is not specified, Kaspersky Industrial CyberSecurity for Nodes enables the scan for threats based on the Network IOC document only if the Network IOC document is described in the IOC file that is provided for the scan.
`/URL=no`	Optional argument. This argument disables the scan for threats based on the UrlHistoryItem IOC document during the IOC scan. If the value of the argument is <no>, Kaspersky Industrial CyberSecurity for Nodes does not scan for threats based on the UrlHistoryItem IOC document. If the IOC file contains terms of the UrlHistoryItem IOC document, they are ignored (detected as no match). If this argument is not specified, Kaspersky Industrial CyberSecurity for Nodes enables the scan for threats based on the UrlHistoryItem IOC document only if the UrlHistoryItem IOC document is described in the IOC file that is provided for the scan.
`/EMAIL=no`	Optional argument. This argument disables the analysis of mail objects (IOC document Email) during the IOC scan. If the value of the argument is `<no>`, Kaspersky Industrial CyberSecurity for Nodes does not analyze mail objects. If the IOC file contains terms of the Email IOC document, they are ignored (detected as no match). If this argument is not specified, Kaspersky Industrial CyberSecurity for Nodes analyzes mail objects only if the Email IOC document is described in the IOC file that is provided for the scan.
`/ROUTE=no`	Optional argument. This argument enables the scan for threats based on the RouteEntryItem IOC document during the IOC scan. If the value of the argument is <no>, Kaspersky Industrial CyberSecurity for Nodes does not scan for threats based on the RouteEntryItem IOC document. If the IOC file contains terms of the UrlHistoryItem IOC document, they are ignored (detected as no match). If this argument is not specified, Kaspersky Industrial CyberSecurity for Nodes enables the scan for threats based on the RouteEntryItem IOC document only if the RouteEntryItem IOC document is described in the IOC file that is provided for the scan.
`/RETRO`	Optional argument. This argument runs the task in Retrospective IOC Scan mode. With this argument, you can additionally pass the period for which you want the application to perform a retrospective IOC scan by using the `DEPTH=<interval in days>` argument. The maximum value is 14 days. Time is counted from the moment when the task was started. Example: `KAVSHELL SCAN-IOC /PATH=<path to a folder with IOC files> /RETRO /DEPTH=2` If the time interval is not passed it defaults to 1 day.
`/EXCLUDES=<list of exclusions>`	Optional argument. This argument lets you specify exclusion scopes when analyzing data for the FileItem IOC document. You can pass multiple space-delimited paths in this argument. If the argument is not specified, the scan is performed without exclusions.
`/SCOPE=<configurable list of folders>`	Optional argument. This arguments becomes required if the /`DRIVES=custom` argument is specified. This argument lets you specify a list of scan scopes. You can pass multiple space-delimited paths in this argument.

Return codes of the SCAN-IOC command:

-1: the command is not supported by the version of Kaspersky Industrial CyberSecurity for Nodes that is installed on the device.
0 – the command completed successfully.
1 – a mandatory argument was not passed to the command.
2 – general error.
4 – syntax error.

If the command has completed successfully (return value 0) and it detected indicators of compromise, Kaspersky Industrial CyberSecurity for Nodes outputs the following task result information to the command line:

Information that the application outputs to the command line when it detects indicators of compromise

`Uuid`	ID of the IOC file from the header of the IOC file structure (the `<ioc id="">` tag)
`Name`	Description of the IOC file from the header of the IOC file structure (the `<description></description>` tag)
`Matched Indicator Items`	List of IDs of all matched indicators.
`Matched objects`	Data for each IOC document for which there was a match.
`Date`	Creation date of the file in which indicators of compromise were found.
`Created`	Only for FileItem. Creation date of the object in which indicators of compromise were found.
`Pid`	ID of the process for which indicators of compromise were found.
`Upid`	Unique ID of the process for which indicators of compromise were found.
`ParentPid`	ID of the parent object containing the process for which indicators of compromise were found.
`Username`	Name of the user that modified the scanned object.
`StartTime`	Start time of the process for which indicators of compromise were found.

You can view the results of the task in task properties in the Results section. You can view the information about detected indicators of compromise in the task properties: Application settings → IOC Scan results.

Kaspersky Industrial CyberSecurity for Nodes looks for duplicates among records created for the same IOC file and keeps only unique records in task results. Duplicates are records of the same type that have the same values of all compared fields. The application also may not create a record if it lacks a value in one or more field (see the table below).

Type	Compared fields	Condition for not creating a record
FileItem	FullPath Md5sum Sha256sum PID UPID ImagePath	Missing values of the FullPath, Md5sum, Sha256sum fields. Missing values of the FullPath field and identical values of the Md5sum, Sha256sum fields.
RegistryItem	Hive KeyPath ValueName Text Type	Missing value of at least one of the following fields: Hive, KeyPath, ValueName.
ProcessItem	startTime PID	Missing value of the startTime or PID field.

The Alert Details window may display RegistryItem records with identical field values. Such records are not duplicates because they have different values of the Text field, which is not displayed in the interface.

IOC scan results are kept for 30 days. After this period, Kaspersky Industrial CyberSecurity for Nodes automatically deletes the oldest entries.

An IOC scan is ended after finding 128 matches with indicators of compromise described in IOC files. This is necessary to limit the number of entries in the IOC Scan task report to make analysis easier and to prevent the report from becoming too big because of imprecisely formulated indicators of compromise that can produce an extraordinary number of matches.

Page top