Event ID 28115 — Shortcut for application Name with ID AppID and flags Flags is added to app resolver cache.

Provider: Microsoft-Windows-Shell-Core
Channel: Operational
Level: Informational
Task: Shell32_AppResolverCache_AddShortcut

Description

Shortcut for application Name with ID AppID and flags Flags is added to app resolver cache.

Message #

Shortcut for application %1 with ID %2 and flags %3 is added to app resolver cache.

Fields #

Name	Description
`Name` UnicodeString	—
`AppID` UnicodeString	—
`Flags` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Shell-Core",
    "guid": "30336ED4-E327-447C-9DE0-51B652C86108",
    "event_source_name": "",
    "event_id": 28115,
    "version": 0,
    "level": 4,
    "task": 28141,
    "opcode": 0,
    "keywords": 2305843009213759488,
    "time_created": "2023-11-06T01:43:34.432903+00:00",
    "event_record_id": 2840,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0000-7E84-E2E43710DA01"
    },
    "execution": {
      "process_id": 10860,
      "thread_id": 8488
    },
    "channel": "Microsoft-Windows-Shell-Core/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "Name": "Google Password Manager",
    "AppID": "Chrome._crx_kajebgjangfejcanhanjmmbcfd",
    "Flags": 17
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Suspicious Application Installed source medium: Detects suspicious application installed by looking at the added shortcut to the app resolver cache

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline