Downloaded Shortcut Files

Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/08/06"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in
11phishing campaigns.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.file-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Downloaded Shortcut Files"
18risk_score = 47
19rule_id = "39157d52-4035-44a8-9d1a-6f8c5f580a07"
20severity = "medium"
21tags = [
22    "Domain: Endpoint",
23    "OS: Windows",
24    "Use Case: Threat Detection",
25    "Tactic: Execution",
26    "Data Source: Elastic Defend",
27]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32file where host.os.type == "windows" and event.type == "creation" and file.extension == "lnk" and file.Ext.windows.zone_identifier > 1
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1204"
40name = "User Execution"
41reference = "https://attack.mitre.org/techniques/T1204/"
42[[rule.threat.technique.subtechnique]]
43id = "T1204.002"
44name = "Malicious File"
45reference = "https://attack.mitre.org/techniques/T1204/002/"
46
47
48
49[rule.threat.tactic]
50id = "TA0002"
51name = "Execution"
52reference = "https://attack.mitre.org/tactics/TA0002/"
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1566"
57name = "Phishing"
58reference = "https://attack.mitre.org/techniques/T1566/"
59[[rule.threat.technique.subtechnique]]
60id = "T1566.001"
61name = "Spearphishing Attachment"
62reference = "https://attack.mitre.org/techniques/T1566/001/"
63
64[[rule.threat.technique.subtechnique]]
65id = "T1566.002"
66name = "Spearphishing Link"
67reference = "https://attack.mitre.org/techniques/T1566/002/"
68
69
70
71[rule.threat.tactic]
72id = "TA0001"
73name = "Initial Access"
74reference = "https://attack.mitre.org/tactics/TA0001/"

Related rules

to-top