Jump to content

Registry branches that are scanned by the IoC task [Kaspersky Endpoint Agent]


When creating an IoC scan task, only the following registry branches are scanned.

<field name="predefined_keypaths" type="wstring" multi-valued="yes" default-value=
               '{
                  LR"(HKEY_CLASSES_ROOT\htafile)",
                  LR"(HKEY_CLASSES_ROOT\batfile)",
                  LR"(HKEY_CLASSES_ROOT\exefile)",
                  LR"(HKEY_CLASSES_ROOT\comfile)",
                  LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa)",
                  LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors)",
                  LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider)",
                  LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class)",
                  LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders)",
                  LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server)",
                  LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager)",
                  LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Classes\piffile)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Classes\htafile)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Classes\exefile)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Classes\comfile)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Classes\CLSID)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run)",
                  LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer)",
                  LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run)",
                  LR"((HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components)",
                  LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Aedebug)",
                  LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon)"
                }'
             tag-id="2" tag-name="PredefinedKeyPaths"/>

IoC tasks that are configured to scan other branches of the registry will not return any results.

0 Comments


Recommended Comments

There are no comments to display.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...