Jump to content

Kaspersky Support Forum

Sign In / Registration

Advice and solutions for Kaspersky Anti Targeted Attack & EDR Expert

Registry branches that are scanned by the IoC task [Kaspersky Endpoint Agent]

By Antipova Anna
December 16, 2023 in Advice and solutions for Kaspersky Anti Targeted Attack & EDR Expert

Share

Recommended Posts

Antipova Anna

Posted December 16, 2023

- Share

Posted December 16, 2023

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

When creating an IoC scan task, only the following registry branches are scanned.

<field name="predefined_keypaths" type="wstring" multi-valued="yes" default-value=
               '{
                  LR"(HKEY_CLASSES_ROOT\htafile)",
                  LR"(HKEY_CLASSES_ROOT\batfile)",
                  LR"(HKEY_CLASSES_ROOT\exefile)",
                  LR"(HKEY_CLASSES_ROOT\comfile)",
                  LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa)",
                  LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors)",
                  LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider)",
                  LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class)",
                  LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders)",
                  LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server)",
                  LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager)",
                  LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Classes\piffile)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Classes\htafile)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Classes\exefile)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Classes\comfile)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Classes\CLSID)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run)",
                  LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer)",
                  LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run)",
                  LR"((HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components)",
                  LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options)",
                  LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Aedebug)",
                  LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon)"
                }'
             tag-id="2" tag-name="PredefinedKeyPaths"/>

IoC tasks that are configured to scan other branches of the registry will not return any results.

Link to comment

Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in

Sign In Now

Share

Go to topic listing

×

Sign In / Registration

×

Create New...