Detection rules › YARA-L
Suspicious Unusual Location LNK File
Detects creation and movement of .lnk files to specific folders
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 2 | A process changed a file creation time |
| Sysmon | Event ID 11 | FileCreate |
| Sysmon | Event ID 23 | FileDelete (File Delete archived) |
Rule body yaral
/*
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule suspicious_unusual_location_lnk_file {
meta:
author = "Google Cloud Security"
description = "Detects creation and movement of .lnk files to specific folders"
rule_id = "mr_efb341aa-57c5-47b6-bde5-b409b4395c8f"
rule_name = "Suspicious Unusual Location LNK File"
type = "alert"
data_source = "microsoft sysmon"
platform = "Windows"
severity = "Low"
priority = "Low"
events:
(
$file.metadata.event_type = "FILE_CREATION" or
$file.metadata.event_type = "FILE_MODIFICATION" or
$file.metadata.event_type = "FILE_COPY" or
$file.metadata.event_type = "FILE_MOVE"
)
//and is optional, implied when broken out by line
and
$file.target.file.full_path = /\.lnk$/ nocase and
//Looking in the desktop, documents and start menu folders, can be modified to look in different folders
$file.target.file.full_path = /\\(Desktop|Documents|Start Menu)\\.*/ nocase
outcome:
$risk_score = 35
//added to populate alert graph with additional context
$principal_hostname = $file.principal.hostname
$target_hostname = $file.target.hostname
$src_hostname = $file.src.hostname
$principal_process_pid = $file.principal.process.pid
$principal_process_command_line = $file.principal.process.command_line
$principal_process_file_sha256 = $file.principal.process.file.sha256
$principal_process_file_full_path = $file.principal.process.file.full_path
$principal_process_product_specific_process_id = $file.principal.process.product_specific_process_id
$principal_process_parent_process_product_specific_process_id = $file.principal.process.parent_process.product_specific_process_id
$principal_user_userid = $file.principal.user.userid
$src_user_userid = $file.principal.user.userid
$target_file_sha256 = $file.target.file.sha256
$target_file_full_path = $file.target.file.full_path
$src_file_sha256 = $file.src.file.sha256
$src_file_full_path = $file.src.file.full_path
condition:
$file
}
Stages and Predicates
Stage 0: match + condition
condition:
$file
Fires when at least one $file event.
Stage 1: events: $file · FILE_CREATION
(
$file.metadata.event_type = "FILE_CREATION" or
$file.metadata.event_type = "FILE_MODIFICATION" or
$file.metadata.event_type = "FILE_COPY" or
$file.metadata.event_type = "FILE_MOVE"
)
//and is optional, implied when broken out by line
and
$file.target.file.full_path = /\.lnk$/ nocase and
//Looking in the desktop, documents and start menu folders, can be modified to look in different folders
$file.target.file.full_path = /\\(Desktop|Documents|Start Menu)\\.*/ nocase
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
target.file.full_path | regex_match |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
risk_score | 35 |
principal_hostname | $file.principal.hostname |
target_hostname | $file.target.hostname |
src_hostname | $file.src.hostname |
principal_process_pid | $file.principal.process.pid |
principal_process_command_line | $file.principal.process.command_line |
principal_process_file_sha256 | $file.principal.process.file.sha256 |
principal_process_file_full_path | $file.principal.process.file.full_path |
principal_process_product_specific_process_id | $file.principal.process.product_specific_process_id |
principal_process_parent_process_product_specific_process_id | $file.principal.process.parent_process.product_specific_process_id |
principal_user_userid | $file.principal.user.userid |
src_user_userid | $file.principal.user.userid |
target_file_sha256 | $file.target.file.sha256 |
target_file_full_path | $file.target.file.full_path |
src_file_sha256 | $file.src.file.sha256 |
src_file_full_path | $file.src.file.full_path |