Detection rules › Splunk
Process Creating LNK file in Suspicious Location
The following analytic detects a process creating a .lnk file in suspicious locations such as C:\User* or *\Local\Temp\*. It leverages filesystem and process activity data from the Endpoint data model to identify this behavior. This activity can be significant because creating .lnk files in these directories is a common indicator of spear phishing tools to establish persistence or execute malicious payloads. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code, or further compromise the system.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1566.002 Phishing: Spearphishing Link |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: tstats
tstats WHERE NOT Filesystem.file_path IN ("*\\AppData\\Local\\Microsoft\\Windows\\WinX\\*", "*\\AppData\\Roaming\\Microsoft\\Excel\\*", "*\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", "*\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", "*\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*", "*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*", "*\\AppData\\Roaming\\Microsoft\\Word\\*", "*\\Links\\*", "*\\OneDrive *") Filesystem.action="created" Filesystem.file_name="*.lnk" Filesystem.file_path IN ("*:\\AppData\\Local\\Temp\\*", "*:\\Temp\\*", "*:\\Users\\*", "*:\\Windows\\Temp\\*") BY Filesystem.action, Filesystem.dest, Filesystem.file_access_time, Filesystem.file_create_time, Filesystem.file_hash, Filesystem.file_modify_time, Filesystem.file_name, Filesystem.file_path, Filesystem.file_acl, Filesystem.file_size, Filesystem.process_guid, Filesystem.process_id, Filesystem.user, Filesystem.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | TargetFilename | in | "*\\AppData\\Local\\Microsoft\\Windows\\WinX\\*", "*\\AppData\\Roaming\\Microsoft\\Excel\\*", "*\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", "*\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", "*\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*", "*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*", "*\\AppData\\Roaming\\Microsoft\\Word\\*", "*\\Links\\*", "*\\OneDrive *" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Filesystem.action | eq |
|
Filesystem.file_name | eq |
|
Filesystem.file_path | in |
|