Process Creating LNK file in Suspicious Location

name: Process Creating LNK file in Suspicious Location
id: 5d814af1-1041-47b5-a9ac-d754e82e9a26
version: 17
creation_date: '2020-04-29'
modification_date: '2026-05-13'
author: Jose Hernandez, Michael Haag, Splunk
status: production
type: Anomaly
description: |
    The following analytic detects a process creating a `.lnk` file in suspicious locations such as `C:\User*` or `*\Local\Temp\*`.
    It leverages filesystem and process activity data from the Endpoint data model to identify this behavior.
    This activity can be significant because creating `.lnk` files in these directories is a common indicator of spear phishing tools to establish persistence or execute malicious payloads.
    If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code, or further compromise the system.
data_source:
    - Sysmon EventID 11
search: |
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
            max(_time) as lastTime
    
    FROM datamodel=Endpoint.Filesystem where
    
    Filesystem.action="created"
    Filesystem.file_name="*.lnk"
    Filesystem.file_path IN (
      "*:\\AppData\\Local\\Temp\\*",
      "*:\\Temp\\*",
      "*:\\Users\\*",
      "*:\\Windows\\Temp\\*"
    )
    NOT Filesystem.file_path IN (
      "*\\AppData\\Local\\Microsoft\\Windows\\WinX\\*",
      "*\\AppData\\Roaming\\Microsoft\\Excel\\*",
      "*\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*",
      "*\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*",
      "*\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*",
      "*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*",
      "*\\AppData\\Roaming\\Microsoft\\Word\\*",
      "*\\Links\\*",
      "*\\OneDrive *"
    )
    
    by Filesystem.action Filesystem.dest Filesystem.file_access_time
       Filesystem.file_create_time Filesystem.file_hash
       Filesystem.file_modify_time Filesystem.file_name
       Filesystem.file_path Filesystem.file_acl Filesystem.file_size
       Filesystem.process_guid Filesystem.process_id
       Filesystem.user Filesystem.vendor_product
    
    | `drop_dm_object_name(Filesystem)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `process_creating_lnk_file_in_suspicious_location_filter`
how_to_implement: |
    You must be ingesting data that records filesystem and process activity
    from your hosts to populate the Endpoint data model. This is typically populated
    via endpoint detection-and-response product, such as Carbon Black, or endpoint data
    sources, such as Sysmon.
known_false_positives: |
    False positives are expected to occur, since `.lnk` files can be created legitimately
    by users or applications. To reduce false positives. To reduce noise, think of joining this to the process that created the LNK file and see if it's a known good process.
references:
    - https://attack.mitre.org/techniques/T1566/001/
    - https://www.trendmicro.com/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html
    - https://twitter.com/pr0xylife/status/1590394227758104576
drilldown_searches:
    - name: View the detection results for - "$dest$" and "$user$"
      search: '%original_detection_search% | search  dest = "$dest$" user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$" and "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: A shortcut file [$file_name$] was created in $file_path$ on the host $dest$
        - field: user
          type: user
          score: 20
          message: A shortcut file [$file_name$] was created in $file_path$ on the host $dest$
threat_objects:
    - field: file_name
      type: file_name
    - field: file_path
      type: file_path
analytic_story:
    - Spearphishing Attachments
    - Qakbot
    - IcedID
    - Amadey
    - Gozi Malware
    - APT37 Rustonotto and FadeStealer
    - BlankGrabber Stealer
asset_type: Endpoint
mitre_attack_id:
    - T1566.002
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog
      test_type: unit