Supported OpenIOC Indicators of Compromise

Kaspersky Anti Targeted Attack Platform supports the OpenIOC open standard indicators of compromise shown in the table below.

Supported Indicators of Compromise

OpenIOC Indicator of Compromise

Implementation Limitations (if any)

FileItem/FileName

No value.

FileItem/Md5sum

No value.

FileItem/FilePath

Disclosure of user-specific environment variables is not supported. For example, %APPDATA%, %UserName%.

FileItem/SizeInBytes

No value.

RegistryItem/KeyPath

No value.

RegistryItem/Path

Scanning user-specific keys through HKEY_CURRENT_USER and HKEY_CLASSES_ROOT is not supported for unauthorized users.

RegistryItem/Value

No value.

FileItem/PEInfo/PETimeStamp

No value.

FileItem/FullPath

Disclosure of user-specific environment variables is not supported. For example, %APPDATA%, %UserName%.

PortItem/remoteIP

No value.

FileItem/PEInfo/DetectedAnomalies/string

checksum_is_zero is only supported.

FileItem/FileExtension

No value.

DnsEntryItem/RecordName

No value.

ProcessItem/name

No value.

RegistryItem/ValueName

No value.

RegistryItem/Text

No value.

ServiceItem/name

No value.

FileItem/PEInfo/Exports/ExportedFunctions/string

No value.

FileItem/PEInfo/Exports/DllName

No value.

FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename

No value.

FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string

No value.

FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription

No value.

ProcessItem/arguments

No value.

PortItem/remotePort

No value.

DnsEntryItem/RecordData/IPv4Address

No value.

FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName

No value.

FileItem/PEInfo/Exports/NumberOfFunctions

No value.

FileItem/PEInfo/DigitalSignature/SignatureExists

No value.

ProcessItem/SectionList/MemorySection/Name

No value.

FileItem/PEInfo/Type

No value.

ProcessItem/path

No value.

PortItem/localPort

No value.

FileItem/PEInfo/VersionInfoList/VersionInfoItem/CompanyName

No value.

ProcessItem/SectionList/MemorySection/Md5sum

No value.

DnsEntryItem/Host

No value.

PortItem/protocol

No value.

FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductName

No value.

ServiceItem/description

No value.

FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Name

No value.

FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Language

No value.

ServiceItem/descriptiveName

No value.

FileItem/PEInfo/VersionInfoList/VersionInfoItem/Language

No value.

FileItem/PEInfo/VersionInfoList/VersionInfoItem/LegalCopyright

No value.

FileItem/PEInfo/ImportedModules/Module/Name

No value.

ServiceItem/serviceDLL

No value.

FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileVersion

No value.

FileItem/PEInfo/Sections/Section/Name

No value.

FileItem/PEInfo/DigitalSignature/SignatureVerified

No value.

ServiceItem/path

No value.

FileItem/PEInfo/Subsystem

No value.

FileItem/Sha256sum

No value.

RegistryItem/Type

No value.

FileItem/PEInfo/DigitalSignature/CertificateSubject

No value.

EventLogItem/EID

No value.

FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Type

No value.

VolumeItem/Name

No value.

EventLogItem/source

No value.

PortItem/state

No value.

UserItem/Username

Local users are only scanned. Scanning domain users is not supported.

FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductVersion

No value.

DnsEntryItem/RecordType

No value.

VolumeItem/VolumeName

No value.

PortItem/localIP

No value.

ProcessItem/parentpid

No value.

FileItem/PEInfo/DigitalSignature/CertificateIssuer

No value.

ProcessItem/SectionList/MemorySection/Protection

No value.

ProcessItem/SectionList/MemorySection/Sha256sum

No value.

FileItem/PEInfo/Exports/ExportsTimeStamp

No value.

ProcessItem/Username

No value.

ServiceItem/status

No value.

ArpEntryItem/CacheType

No value.

ArpEntryItem/IPv4Address

No value.

ArpEntryItem/Interface

No value.

ArpEntryItem/PhysicalAddress

No value.

DnsEntryItem/DataLength

No value.

DnsEntryItem/Flags

No value.

DnsEntryItem/RecordData/Host

No value.

DnsEntryItem/RecordName

No value.

DnsEntryItem/TimeToLive

No value.

VolumeItem/ActualAvailableAllocationUnits

No value.

VolumeItem/BytesPerSector

No value.

VolumeItem/CreationTime

No value.

VolumeItem/DevicePath

No value.

VolumeItem/DriveLetter

No value.

VolumeItem/FileSystemFlags

No value.

VolumeItem/FileSystemName

No value.

VolumeItem/IsMounted

No value.

VolumeItem/SectorsPerAllocationUnit

No value.

VolumeItem/SerialNumber

No value.

VolumeItem/TotalAllocationUnits

No value.

VolumeItem/Type

No value.

UserItem/LastLogin

No value.

UserItem/SecurityID

No value.

UserItem/SecurityType

No value.

UserItem/description

No value.

UserItem/disabled

No value.

UserItem/fullname

No value.

UserItem/homedirectory

No value.

UserItem/lockedout

No value.

UserItem/passwordrequired

No value.

UserItem/scriptpath

No value.

UserItem/userpasswordage

No value.

PortItem/CreationTime

No value.

PortItem/path

No value.

PortItem/pid

No value.

PortItem/process

No value.

EventLogItem/log

No value.

EventLogItem/index

No value.

EventLogItem/user

No value.

EventLogItem/genTime

No value.

EventLogItem/machine

No value.

EventLogItem/CorrelationActivityId

No value.

EventLogItem/CorrelationRelatedActivityId

No value.

EventLogItem/ExecutionProcessId

No value.

EventLogItem/ExecutionThreadId

No value.

RegistryItem/Hive

Scanning user-specific keys through HKEY_CURRENT_USER and HKEY_CLASSES_ROOT is not supported for unauthorized users.

ServiceItem/pid

No value.

ServiceItem/type

No value.

ServiceItem/startedAs

No value.

ServiceItem/arguments

No value.

ServiceItem/mode

No value.

ProcessItem/pid

No value.

ProcessItem/startTime

No value.

ProcessItem/SectionList/MemorySection/RegionSize

No value.

ProcessItem/SectionList/MemorySection/RegionStart

No value.

FileItem/PEInfo/VersionInfoList/VersionInfoItem/Comments

No value.

FileItem/PEInfo/VersionInfoList/VersionInfoItem/LegalTrademarks

No value.

FileItem/PEInfo/VersionInfoList/VersionInfoItem/PrivateBuild

No value.

FileItem/PEInfo/VersionInfoList/VersionInfoItem/SpecialBuild

No value.

FileItem/PEInfo/BaseAddress

No value.

FileItem/PEInfo/Exports/NumberOfNames

No value.

FileItem/PEInfo/ImportedModules/Module/NumberOfFunctions

No value.

FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Size

No value.

FileItem/PEInfo/Sections/ActualNumberOfSections

No value.

FileItem/PEInfo/Sections/NumberOfSections

No value.

FileItem/PEInfo/Sections/Section/SizeInBytes

No value.

See also

IOC scan of events

Viewing the table of IOC files

Viewing information about an IOC file

Uploading an IOC file

Downloading an IOC file to a computer

Enabling and disabling the automatic use of an IOC file when scanning events

Deleting an IOC file

Searching IOC scan results

Filtering and searching IOC files

Clearing an IOC file filter

Configuring an IOC scan schedule
Page top