Microsoft XDR (Defender) - DeviceEvents - ShellLinkCreateFileEvent

viri4to 10 Reputation points
2024-12-19T18:02:05.2466667+00:00

Hi everyone,

I've been trying to create a hunting query in the Defender portal to identify when a malicious .lnk file is created. I noticed that an interesting event to detect and analyze this is "DeviceEvents --> ShellLinkCreateFileEvent", as the AdditionalFields include information such as ShellLinkIconPath, ShellLinkRunAsAdmin, or even the arguments used to execute the .lnk file (ShellLinkCommandLine, which is the most interesting one).

However, the target file of the shortcut is not displayed! This is the most basic information that should appear.

Do you know if this will be included in the future? Is it possible to obtain this information from another event by doing a join?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,965 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,874 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,449 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.