Detection correlates file creation or modification of .lnk (shortcut) files in autostart locations with anomalous parent-child process lineage or unsigned binaries. Defenders should watch for LNK creation/modification events outside of known software installations, patch events, or OS updates. Flag shortcut targets pointing to suspicious locations or unknown binaries, particularly those written by script interpreters or spawned from phishing delivery chains.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Modification (DC0061) | WinEventLog:Sysmon | EventCode=2 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| Field | Description |
|---|---|
| TargetPathRegex | Tunable regex to flag suspicious shortcut target paths (e.g., temp folder, base64 in target, unusual executable names) |
| TimeWindow | Time window used to correlate shortcut creation with process execution (e.g., 5-minute window) |
| UserContextScope | Filter for expected administrative installs versus end-user initiated shortcut creation |
| ZoneIdentifierThreshold | Configurable value to filter LNK files tagged with external source markers (e.g., ZoneId=3 for Internet) |