Downloaded Shortcut Files

calendar Apr 16, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Execution Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/04/05"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in
13phishing campaigns.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.file-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Downloaded Shortcut Files"
20risk_score = 21
21rule_id = "39157d52-4035-44a8-9d1a-6f8c5f580a07"
22severity = "low"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
24timestamp_override = "event.ingested"
25type = "eql"
26
27query = '''
28file where host.os.type == "windows" and event.type == "creation" and file.extension == "lnk" and file.Ext.windows.zone_identifier > 1
29'''
30
31
32[[rule.threat]]
33framework = "MITRE ATT&CK"
34[[rule.threat.technique]]
35id = "T1204"
36name = "User Execution"
37reference = "https://attack.mitre.org/techniques/T1204/"
38[[rule.threat.technique.subtechnique]]
39id = "T1204.002"
40name = "Malicious File"
41reference = "https://attack.mitre.org/techniques/T1204/002/"
42
43
44
45[rule.threat.tactic]
46id = "TA0002"
47name = "Execution"
48reference = "https://attack.mitre.org/tactics/TA0002/"
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1566"
53name = "Phishing"
54reference = "https://attack.mitre.org/techniques/T1566/"
55[[rule.threat.technique.subtechnique]]
56id = "T1566.001"
57name = "Spearphishing Attachment"
58reference = "https://attack.mitre.org/techniques/T1566/001/"
59
60[[rule.threat.technique.subtechnique]]
61id = "T1566.002"
62name = "Spearphishing Link"
63reference = "https://attack.mitre.org/techniques/T1566/002/"
64
65
66
67[rule.threat.tactic]
68id = "TA0001"
69name = "Initial Access"
70reference = "https://attack.mitre.org/tactics/TA0001/"

Related rules

to-top