Process Creating Lnk File In Suspicious Location
This search looks for a process launching an
*.lnk file under
*\Local\Temp\*. This is common behavior used by various spear phishing tools.
Process Creating Lnk File In Suspicious Location Help
You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.
Open in Search