Skip to content

Kaspersky Endpoint Security

Overview

Kaspersky Endpoint Security is an advanced security solution designed to safeguard businesses, their networks, and data against a wide array of cyber threats. Employing a multi-layered approach, it integrates various protection technologies including signature-based detection, heuristic analysis, machine learning, and real-time monitoring to detect and thwart malware, ransomware, zero-day attacks, and other threats effectively.

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

The following Sekoia.io built-in rules match the intake Kaspersky Endpoint Security [BETA]. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x Kaspersky Endpoint Security [BETA] on ATT&CK Navigator

Cron Files Alteration

Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation.

  • Effort: advanced
Formbook File Creation DB1

Detects specific file creation (Users*\AppData\Local\Temp\DB1) to store data to exfiltrate (Formbook behavior). Logging for Sysmon event 11 is usually used for this detection.

  • Effort: intermediate
NTDS.dit File In Suspicious Directory

The file NTDS.dit is supposed to be located mainly in C:\Windows\NTDS. The rule checks whether the file is in a legitimate directory or not (through file creation events). This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes.

  • Effort: advanced
OneNote Embedded File

Detects creation or uses of OneNote embedded files with unusual extensions.

  • Effort: intermediate
Package Manager Alteration

Package manager (eg: apt, yum) can be altered to install malicious software

  • Effort: advanced
Phorpiex Process Masquerading

Detects specific process executable path used by the Phorpiex botnet to masquerade its system process network activity. It looks for a pattern of a system process executable name that is not legitimate and running from a folder that is created via a random algorithm 13-15 numbers long.

  • Effort: elementary
Potential Azure AD Phishing Page (Adversary-in-the-Middle)

Detects an HTTP request to an URL typical of the Azure AD authentication flow, but towards a domain that is not one the legitimate Microsoft domains used for Azure AD authentication.

  • Effort: intermediate
RTLO Character

Detects RTLO (Right-To-Left character) in file and process names.

  • Effort: elementary
SSH Authorized Key Alteration

The file authorized_keys is used by SSH server to identify SSH keys that are authorized to connect to the host, alteration of one of those files might indicate a user compromision

  • Effort: advanced
Suspicious ADSI-Cache Usage By Unknown Tool

Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger. It needs file monitoring capabilities (Sysmon Event ID 11 with .sch file creation logging).

  • Effort: advanced
Suspicious desktop.ini Action

Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.

  • Effort: advanced
WCE wceaux.dll Creation

Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.

  • Effort: intermediate
Webshell Creation

Detects possible webshell file creation. It requires File Creation monitoring, which can be done using Sysmon's Event ID 11. However the recommended SwiftOnSecurity configuration does not fully cover the needs for this rule, it needs to be updated with the proper file names extensions.

  • Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Anti-virus Kaspersky Endpoint Security prevents from malware infection
File monitoring Kaspersky Endpoint Security analyzes all files and protect machines from malware files
Web logs Kaspersky Endpoint Security logs provides information about the web if there's something strange

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind event
Category malware, process
Type info

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "Event type: Error verifying application databases and modules\\r\\nResult description: Error\\r\\nError: Update files are corrupted\\r\\nObject type: Web page\\r\\nObject name: updates/kdb/i386/kdb-i386-1901g.xml\\r\\nUser: MyMachine\\jdoe (Active user)\\r\\nRelease date: 12/14/2023 3:49:00 PM",
    "event": {
        "action": "Error",
        "category": [
            "process"
        ],
        "kind": "event",
        "reason": "Error verifying application databases and modules",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-12-14T15:49:00Z",
    "error": {
        "message": "Update files are corrupted"
    },
    "observer": {
        "product": "Kaspersky Endpoint Security",
        "type": "edr",
        "vendor": "Kaspersky"
    },
    "related": {
        "user": [
            "jdoe"
        ]
    },
    "url": {
        "path": "updates/kdb/i386/kdb-i386-1901g.xml"
    },
    "user": {
        "domain": "MyMachine",
        "name": "jdoe"
    }
}
{
    "message": "Event type: Not all components were updated\\r\\nResult description: Error\\r\\nError: Not all components were updated\\r\\nUser: MyMachine\\jdoe (Active user)\\r\\nRelease date: 12/14/2023 3:49:00 PM",
    "event": {
        "action": "Error",
        "category": [
            "process"
        ],
        "kind": "event",
        "reason": "Not all components were updated",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-12-14T15:49:00Z",
    "error": {
        "message": "Not all components were updated"
    },
    "observer": {
        "product": "Kaspersky Endpoint Security",
        "type": "edr",
        "vendor": "Kaspersky"
    },
    "related": {
        "user": [
            "jdoe"
        ]
    },
    "user": {
        "domain": "MyMachine",
        "name": "jdoe"
    }
}
{
    "message": "Result description: Detected\\r\\nType: Virus\\r\\nName: EICAR-Test-File\\r\\nUser: MyMachine\\jdoe (Initiator)\\r\\nObject: C:\\Users\\jdoe\\Downloads\\eicar-com.txt\\r\\nReason: Expert analysis\\r\\nDatabase release date: 12/14/2023 8:15:00 AM\\r\\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\\r\\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F\n",
    "event": {
        "action": "Detected",
        "category": [
            "malware"
        ],
        "kind": "event",
        "reason": "Expert analysis",
        "type": [
            "info"
        ]
    },
    "file": {
        "hash": {
            "md5": "44D88612FEA8A8F36DE82E1278ABB02F",
            "sha256": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F"
        },
        "name": "eicar-com.txt",
        "path": "C:\\Users\\jdoe\\Downloads\\eicar-com.txt"
    },
    "observer": {
        "product": "Kaspersky Endpoint Security",
        "type": "edr",
        "vendor": "Kaspersky"
    },
    "related": {
        "hash": [
            "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F",
            "44D88612FEA8A8F36DE82E1278ABB02F"
        ],
        "user": [
            "jdoe"
        ]
    },
    "threat": {
        "software": {
            "name": "EICAR-Test-File",
            "type": "Malware"
        }
    },
    "user": {
        "domain": "MyMachine",
        "name": "jdoe"
    }
}
{
    "message": "Result description: Not processed\\r\\nType: Virus\\r\\nName: EICAR-Test-File\\r\\nUser: MyMachine\\jdoe (Initiator)\\r\\nObject: C:\\Users\\jdoe\\Downloads\\eicar-com.txt\\r\\nReason: Already processed\\r\\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\\r\\nMD5: 44D88612FEA8A8F36DE82E1278ABB02",
    "event": {
        "action": "Not processed",
        "category": [
            "malware"
        ],
        "kind": "event",
        "reason": "Already processed",
        "type": [
            "info"
        ]
    },
    "file": {
        "hash": {
            "md5": "44D88612FEA8A8F36DE82E1278ABB02",
            "sha256": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F"
        },
        "name": "eicar-com.txt",
        "path": "C:\\Users\\jdoe\\Downloads\\eicar-com.txt"
    },
    "observer": {
        "product": "Kaspersky Endpoint Security",
        "type": "edr",
        "vendor": "Kaspersky"
    },
    "related": {
        "hash": [
            "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F",
            "44D88612FEA8A8F36DE82E1278ABB02"
        ],
        "user": [
            "jdoe"
        ]
    },
    "threat": {
        "software": {
            "name": "EICAR-Test-File",
            "type": "Malware"
        }
    },
    "user": {
        "domain": "MyMachine",
        "name": "jdoe"
    }
}
{
    "message": "Result description: Deleted\\r\\nType: Virus\\r\\nName: EICAR-Test-File\\r\\nUser: MyMachine\\jdoe (Initiator)\\r\\nObject: C:\\Users\\jdoe\\Downloads\\eicar.com.txt\\r\\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\\r\\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F",
    "event": {
        "action": "Deleted",
        "category": [
            "malware"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "file": {
        "hash": {
            "md5": "44D88612FEA8A8F36DE82E1278ABB02F",
            "sha256": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F"
        },
        "name": "eicar.com.txt",
        "path": "C:\\Users\\jdoe\\Downloads\\eicar.com.txt"
    },
    "observer": {
        "product": "Kaspersky Endpoint Security",
        "type": "edr",
        "vendor": "Kaspersky"
    },
    "related": {
        "hash": [
            "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F",
            "44D88612FEA8A8F36DE82E1278ABB02F"
        ],
        "user": [
            "jdoe"
        ]
    },
    "threat": {
        "software": {
            "name": "EICAR-Test-File",
            "type": "Malware"
        }
    },
    "user": {
        "domain": "MyMachine",
        "name": "jdoe"
    }
}
{
    "message": "Event type: Object not processed\\r\\nName: msiexec.exe\\r\\nApplication path: C:\\Windows\\System32\\r\\nProcess ID: 7684\\r\\nUser: WORKGROUP\\MyMachine$ (Initiator)\\r\\nComponent: File Threat Protection\\r\\nResult description: Not processed\\r\\nObject type: File\\r\\nPath to object: C:\\Windows\\Installer\\r\\nObject name: 8056b1f.msi\\r\\nReason: Size",
    "event": {
        "action": "Not processed",
        "category": [
            "process"
        ],
        "kind": "event",
        "module": "File Threat Protection",
        "reason": "Object not processed because of Size",
        "type": [
            "info"
        ]
    },
    "file": {
        "directory": "C:\\Windows\\Installer",
        "name": "8056b1f.msi"
    },
    "observer": {
        "product": "Kaspersky Endpoint Security",
        "type": "edr",
        "vendor": "Kaspersky"
    },
    "process": {
        "executable": "C:\\Windows\\System32\"\\\"msiexec.exe",
        "pid": 7684
    },
    "related": {
        "user": [
            "MyMachine"
        ]
    },
    "user": {
        "domain": "WORKGROUP",
        "name": "MyMachine"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
error.message match_only_text Error message.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.module keyword Name of the module this data is coming from.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
file.directory keyword Directory where the file is located.
file.hash.md5 keyword MD5 hash.
file.hash.sha256 keyword SHA256 hash.
file.name keyword Name of the file including the extension, without the directory.
file.path keyword Full path to the file, including the file name.
observer.product keyword The product name of the observer.
observer.type keyword The type of the observer the data is coming from.
observer.vendor keyword Vendor name of the observer.
process.executable keyword Absolute path to the process executable.
process.pid long Process id.
threat.software.name keyword Name of the software.
threat.software.type keyword Software type.
url.path wildcard Path of the request, such as "/search".
user.domain keyword Name of the directory the user is a member of.
user.name keyword Short name or login of the user.

Configure

This setup guide describe how to forward events produced by Kaspersky Endpoint Security to Sekoia.io.

Forward logs to Sekoia.io

  1. Log in the Kaspersky Security Center Cloud Center

  2. In the console, on the left panel, click on the spanner at the right of Adminitration server

SIEM1.png

  1. In the General tab, click on SIEM on the menu

SIEM2.png

  1. Click on settings to configure the forwarding (point 1)

SIEM3.png

  1. Configure the forwarding a. Type the address of your log concentrator in the SIEM system server address b. Type the port in SIEM system port c. Select TLS over TCP as protocol (it’s the onyl option) d. Select the way to authenticate the concentrator’s certificate e. Click on OK

    Warning

    If you need to generate a custom certificate:

    $ openssl req -new -x509 -keyout server.key -out server.crt -nodes
    $ cat server.key server.crt > server.pem
    $ openssl x509 -in cert.crt -noout -fingerprint # copy the output
    

    SIEM4.png

  2. Check Automatically export event to SIEM system database (point 2)

SIEM3.png

Forward logs to Sekoia.io

  1. In the console, on the left menu, click on Devices > Policies & profiles

Event1.png

  1. For each policy Kapersky Endpoint Security for X, click on the policy

Event2.png

  1. In the policy, select the Event configuration tab

Event3.png

  1. On the left panel, select the section Critical. Select all event types and click on Mark for export to SIEM system by using Syslog

Event4.png

  1. Select the section Warning and select all event types and click on Mark for export to SIEM system by using Syslog.

Create the intake

Go to the intake page and create a new intake from the format Kaspersky Endpoint Security.