Suspicious Lnk File Launching A Process

Description

This search looks for a `*.lnk file under C:\User* or *\Local\Temp\* executing a process. This is common behavior used by various spear phishing tools.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Adversary Tactics,

Alert Volume

This search looks for a ``*.lnk` file under `C:\User*` or `*\Local\Temp\*` executing a process. This is common behavior used by various spear phishing tools.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Initial Access

MITRE ATT&CK Techniques

Phishing

Spearphishing Link

MITRE Threat Groups

APT1
APT28
APT29
APT32
APT33
APT39
BlackTech
Cobalt Group
Dragonfly 2.0
Elderwood
FIN4
FIN8
Kimsuky
Leviathan
Machete
Magic Hound
Mofang
Molerats
Night Dragon
OilRig
Patchwork
Stolen Pencil
TA505
Turla
Windshift
Wizard Spider

Kill Chain Phases

Installation
Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Suspicious Lnk File Launching A Process Help

You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon.

   Search

Open in Search