Kaspersky Endpoint Security
Overview
Kaspersky Endpoint Security is an advanced security solution designed to safeguard businesses, their networks, and data against a wide array of cyber threats. Employing a multi-layered approach, it integrates various protection technologies including signature-based detection, heuristic analysis, machine learning, and real-time monitoring to detect and thwart malware, ransomware, zero-day attacks, and other threats effectively.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Kaspersky Endpoint Security. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Kaspersky Endpoint Security on ATT&CK Navigator
Cron Files Alteration
Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation.
- Effort: advanced
Formbook File Creation DB1
Detects specific file creation (Users*\AppData\Local\Temp\DB1) to store data to exfiltrate (Formbook behavior). Logging for Sysmon event 11 is usually used for this detection.
- Effort: intermediate
NTDS.dit File In Suspicious Directory
The file NTDS.dit is supposed to be located mainly in C:\Windows\NTDS. The rule checks whether the file is in a legitimate directory or not (through file creation events). This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes.
- Effort: advanced
OneNote Embedded File
Detects creation or uses of OneNote embedded files with unusual extensions.
- Effort: intermediate
Package Manager Alteration
Package manager (eg: apt, yum) can be altered to install malicious software
- Effort: advanced
Phorpiex Process Masquerading
Detects specific process executable path used by the Phorpiex botnet to masquerade its system process network activity. It looks for a pattern of a system process executable name that is not legitimate and running from a folder that is created via a random algorithm 13-15 numbers long.
- Effort: elementary
Potential Azure AD Phishing Page (Adversary-in-the-Middle)
Detects an HTTP request to an URL typical of the Azure AD authentication flow, but towards a domain that is not one the legitimate Microsoft domains used for Azure AD authentication.
- Effort: intermediate
RTLO Character
Detects RTLO (Right-To-Left character) in file and process names.
- Effort: elementary
SSH Authorized Key Alteration
The file authorized_keys is used by SSH server to identify SSH keys that are authorized to connect to the host, alteration of one of those files might indicate a user compromision.
- Effort: advanced
Suspicious ADSI-Cache Usage By Unknown Tool
Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger. It needs file monitoring capabilities (Sysmon Event ID 11 with .sch file creation logging).
- Effort: advanced
Suspicious desktop.ini Action
Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
- Effort: advanced
WCE wceaux.dll Creation
Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.
- Effort: intermediate
Webshell Creation
Detects possible webshell file creation. It requires File Creation monitoring, which can be done using Sysmon's Event ID 11. However the recommended SwiftOnSecurity configuration does not fully cover the needs for this rule, it needs to be updated with the proper file names extensions.
- Effort: master
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Anti-virus |
Kaspersky Endpoint Security prevents from malware infection |
File monitoring |
Kaspersky Endpoint Security analyzes all files and protect machines from malware files |
Web logs |
Kaspersky Endpoint Security logs provides information about the web if there's something strange |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | `` |
| Category | malware, process |
| Type | info |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "Event type: Error verifying application databases and modules\\r\\nResult description: Error\\r\\nError: Update files are corrupted\\r\\nObject type: Web page\\r\\nObject name: updates/kdb/i386/kdb-i386-1901g.xml\\r\\nUser: MyMachine\\jdoe (Active user)\\r\\nRelease date: 12/14/2023 3:49:00 PM",
"event": {
"action": "Error",
"category": [
"process"
],
"reason": "Error verifying application databases and modules",
"type": [
"info"
]
},
"@timestamp": "2023-12-14T15:49:00Z",
"error": {
"message": "Update files are corrupted"
},
"observer": {
"product": "Kaspersky Endpoint Security",
"type": "edr",
"vendor": "Kaspersky"
},
"related": {
"user": [
"jdoe"
]
},
"url": {
"path": "updates/kdb/i386/kdb-i386-1901g.xml"
},
"user": {
"domain": "MyMachine",
"name": "jdoe"
}
}
{
"message": "Event type: Not all components were updated\\r\\nResult description: Error\\r\\nError: Not all components were updated\\r\\nUser: MyMachine\\jdoe (Active user)\\r\\nRelease date: 12/14/2023 3:49:00 PM",
"event": {
"action": "Error",
"category": [
"process"
],
"reason": "Not all components were updated",
"type": [
"info"
]
},
"@timestamp": "2023-12-14T15:49:00Z",
"error": {
"message": "Not all components were updated"
},
"observer": {
"product": "Kaspersky Endpoint Security",
"type": "edr",
"vendor": "Kaspersky"
},
"related": {
"user": [
"jdoe"
]
},
"user": {
"domain": "MyMachine",
"name": "jdoe"
}
}
{
"message": "Result description: Detected\\r\\nType: Virus\\r\\nName: EICAR-Test-File\\r\\nUser: MyMachine\\jdoe (Initiator)\\r\\nObject: C:\\Users\\jdoe\\Downloads\\eicar-com.txt\\r\\nReason: Expert analysis\\r\\nDatabase release date: 12/14/2023 8:15:00 AM\\r\\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\\r\\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F\n",
"event": {
"action": "Detected",
"category": [
"malware"
],
"reason": "Expert analysis",
"type": [
"info"
]
},
"file": {
"hash": {
"md5": "44D88612FEA8A8F36DE82E1278ABB02F",
"sha256": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F"
},
"name": "eicar-com.txt",
"path": "C:\\Users\\jdoe\\Downloads\\eicar-com.txt"
},
"observer": {
"product": "Kaspersky Endpoint Security",
"type": "edr",
"vendor": "Kaspersky"
},
"related": {
"hash": [
"275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F",
"44D88612FEA8A8F36DE82E1278ABB02F"
],
"user": [
"jdoe"
]
},
"threat": {
"software": {
"name": "EICAR-Test-File",
"type": "Malware"
}
},
"user": {
"domain": "MyMachine",
"name": "jdoe"
}
}
{
"message": "Result description: Not processed\\r\\nType: Virus\\r\\nName: EICAR-Test-File\\r\\nUser: MyMachine\\jdoe (Initiator)\\r\\nObject: C:\\Users\\jdoe\\Downloads\\eicar-com.txt\\r\\nReason: Already processed\\r\\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\\r\\nMD5: 44D88612FEA8A8F36DE82E1278ABB02",
"event": {
"action": "Not processed",
"category": [
"malware"
],
"reason": "Already processed",
"type": [
"info"
]
},
"file": {
"hash": {
"md5": "44D88612FEA8A8F36DE82E1278ABB02",
"sha256": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F"
},
"name": "eicar-com.txt",
"path": "C:\\Users\\jdoe\\Downloads\\eicar-com.txt"
},
"observer": {
"product": "Kaspersky Endpoint Security",
"type": "edr",
"vendor": "Kaspersky"
},
"related": {
"hash": [
"275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F",
"44D88612FEA8A8F36DE82E1278ABB02"
],
"user": [
"jdoe"
]
},
"threat": {
"software": {
"name": "EICAR-Test-File",
"type": "Malware"
}
},
"user": {
"domain": "MyMachine",
"name": "jdoe"
}
}
{
"message": "Result description: Deleted\\r\\nType: Virus\\r\\nName: EICAR-Test-File\\r\\nUser: MyMachine\\jdoe (Initiator)\\r\\nObject: C:\\Users\\jdoe\\Downloads\\eicar.com.txt\\r\\nSHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\\r\\nMD5: 44D88612FEA8A8F36DE82E1278ABB02F",
"event": {
"action": "Deleted",
"category": [
"malware"
],
"type": [
"info"
]
},
"file": {
"hash": {
"md5": "44D88612FEA8A8F36DE82E1278ABB02F",
"sha256": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F"
},
"name": "eicar.com.txt",
"path": "C:\\Users\\jdoe\\Downloads\\eicar.com.txt"
},
"observer": {
"product": "Kaspersky Endpoint Security",
"type": "edr",
"vendor": "Kaspersky"
},
"related": {
"hash": [
"275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F",
"44D88612FEA8A8F36DE82E1278ABB02F"
],
"user": [
"jdoe"
]
},
"threat": {
"software": {
"name": "EICAR-Test-File",
"type": "Malware"
}
},
"user": {
"domain": "MyMachine",
"name": "jdoe"
}
}
{
"message": "Event type: Object not processed\\r\\nName: msiexec.exe\\r\\nApplication path: C:\\Windows\\System32\\r\\nProcess ID: 7684\\r\\nUser: WORKGROUP\\MyMachine$ (Initiator)\\r\\nComponent: File Threat Protection\\r\\nResult description: Not processed\\r\\nObject type: File\\r\\nPath to object: C:\\Windows\\Installer\\r\\nObject name: 8056b1f.msi\\r\\nReason: Size",
"event": {
"action": "Not processed",
"category": [
"process"
],
"module": "File Threat Protection",
"reason": "Object not processed because of Size",
"type": [
"info"
]
},
"file": {
"directory": "C:\\Windows\\Installer",
"name": "8056b1f.msi"
},
"observer": {
"product": "Kaspersky Endpoint Security",
"type": "edr",
"vendor": "Kaspersky"
},
"process": {
"executable": "C:\\Windows\\System32\"\\\"msiexec.exe",
"pid": 7684
},
"related": {
"user": [
"MyMachine"
]
},
"user": {
"domain": "WORKGROUP",
"name": "MyMachine"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
error.message |
match_only_text |
Error message. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.module |
keyword |
Name of the module this data is coming from. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
file.directory |
keyword |
Directory where the file is located. |
file.hash.md5 |
keyword |
MD5 hash. |
file.hash.sha256 |
keyword |
SHA256 hash. |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.path |
keyword |
Full path to the file, including the file name. |
observer.product |
keyword |
The product name of the observer. |
observer.type |
keyword |
The type of the observer the data is coming from. |
observer.vendor |
keyword |
Vendor name of the observer. |
process.executable |
keyword |
Absolute path to the process executable. |
process.pid |
long |
Process id. |
threat.software.name |
keyword |
Name of the software. |
threat.software.type |
keyword |
Software type. |
url.path |
wildcard |
Path of the request, such as "/search". |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.name |
keyword |
Short name or login of the user. |
Configure
This setup guide describe how to forward events produced by Kaspersky Endpoint Security to Sekoia.io.
Forward logs to Sekoia.io
-
Log in the Kaspersky Security Center Cloud Center
-
In the console, on the left panel, click on the spanner at the right of Adminitration server
-
In the General tab, click on SIEM on the menu
-
Click on settings to configure the forwarding (point 1)
-
Configure the forwarding a. Type the address of your log concentrator in the SIEM system server address b. Type the port in SIEM system port c. Select TLS over TCP as protocol (it’s the onyl option) d. Select the way to authenticate the concentrator’s certificate e. Click on OK
Warning
If you need to generate a custom certificate:
$ openssl req -new -x509 -keyout server.key -out server.crt -nodes $ cat server.key server.crt > server.pem $ openssl x509 -in cert.crt -noout -fingerprint # copy the output
-
Check Automatically export event to SIEM system database (point 2)
Apply log export configuration on devices
-
In the console, on the left menu, click on Devices > Policies & profiles
-
For each policy Kapersky Endpoint Security for X, click on the policy
-
In the policy, select the Event configuration tab
-
On the left panel, select the section Critical. Select all event types and click on Mark for export to SIEM system by using Syslog
-
Select the section Warning and select all event types and click on Mark for export to SIEM system by using Syslog.
Create the intake
Go to the intake page and create a new intake from the format Kaspersky Endpoint Security.