Correlates LNK file execution with embedded resource extraction or suspicious network activity following initial launch, often leading to payload delivery via disguised icons.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| ParentProcessName | Can be tuned to focus on common launcher processes like explorer.exe or winword.exe. |
| DestinationIP | Filtered to exclude known good domains and internal IPs to reduce false positives. |
| TimeWindow | Time between LNK execution and subsequent suspicious activity may vary based on adversary delay. |
| FileExtension | Could be used to focus on .lnk files only or track associated dropped payloads like .dat, .exe, etc. |