Registry branches that are scanned by the IoC task [Kaspersky Endpoint Agent]
When creating an IoC scan task, only the following registry branches are scanned.
<field name="predefined_keypaths" type="wstring" multi-valued="yes" default-value=
'{
LR"(HKEY_CLASSES_ROOT\htafile)",
LR"(HKEY_CLASSES_ROOT\batfile)",
LR"(HKEY_CLASSES_ROOT\exefile)",
LR"(HKEY_CLASSES_ROOT\comfile)",
LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa)",
LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors)",
LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider)",
LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class)",
LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders)",
LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server)",
LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager)",
LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services)",
LR"(HKEY_LOCAL_MACHINE\Software\Classes\piffile)",
LR"(HKEY_LOCAL_MACHINE\Software\Classes\htafile)",
LR"(HKEY_LOCAL_MACHINE\Software\Classes\exefile)",
LR"(HKEY_LOCAL_MACHINE\Software\Classes\comfile)",
LR"(HKEY_LOCAL_MACHINE\Software\Classes\CLSID)",
LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run)",
LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad)",
LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer)",
LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run)",
LR"((HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components)",
LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows)",
LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options)",
LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Aedebug)",
LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon)"
}'
tag-id="2" tag-name="PredefinedKeyPaths"/>
IoC tasks that are configured to scan other branches of the registry will not return any results.
0 Comments
Recommended Comments
There are no comments to display.
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now