Process Creating Lnk File In Suspicious Location

Description

This search looks for a process launching an *.lnk file under C:\User* or *\Local\Temp\*. This is common behavior used by various spear phishing tools.

   Help

Process Creating Lnk File In Suspicious Location Help

You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.

   Search

Open in Search