Techniques
Sample rules
Process Creating LNK file in Suspicious Location
- source: splunk
- technicques:
- T1566
- T1566.002
Description
This search looks for a process launching an *.lnk file under C:\User* or *\Local\Temp\*. This is common behavior used by various spear phishing tools.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.lnk" AND (Filesystem.file_path="C:\\User\\*" OR Filesystem.file_path="*\\Temp\\*") by _time span=1h Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.user
| `drop_dm_object_name(Filesystem)`
| rename process_guid as lnk_guid
| join lnk_guid, _time [
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.parent_process_guid Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process
| `drop_dm_object_name(Processes)`
| rename parent_process_guid as lnk_guid
| fields _time lnk_guid process_id dest process_name process_path process]
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime, lastTime, lnk_guid, process_id, user, dest, file_name, file_path, process_name, process, process_path, file_hash
| `process_creating_lnk_file_in_suspicious_location_filter`