Forum Discussion

MikeP751860's avatar
MikeP751860
Brass Contributor
Jan 16, 2023

Microsoft Defender KQL query for deletion lnk files - Following Friday 13th Event

Hi,

 

Following the Friday 13th event with Defender ASR block and removing of shortcut links. Has anyone been able to use the Defender Timeline information on assets to report on the shortcut links which were removed? 

In my case we do not have any data reporting the deletion of the file itself. We do have the ASR event on machines but it also clear that we have lots of other application shortcuts disappearing without ASR events being triggered. This means we cannot get a true idea of the scale of the issue for my estate.

 

Note - We don't have VSS enabled on the endpoints.

 

Is there any other method of getting some idea of what has been deleted?

  • sjf_ch's avatar
    sjf_ch
    Copper Contributor

    MikeP751860 

     

    I had the same issue as you. The KQL query provided by Microsoft did not return all the deleted .lnk files. In the timeline of our devices I found entries with the ActionType "BrowserLaunchedToOpenUrl" and the additional information "T1204.002: Malicious File". Based on that I built the following query:

     

    DeviceEvents
    | where Timestamp >= datetime(2023-01-13) and Timestamp < datetime(2023-01-14)
    | where ActionType contains "BrowserLaunchedToOpenUrl"
    | where RemoteUrl endswith ".lnk"
    | summarize by Timestamp, DeviceName, DeviceId, RemoteUrl,ActionType
    | sort by Timestamp asc

     

    The RemoteURL shows the deleted .lnk file. 

    From there you can further filter for the start menu folder:

     

    DeviceEvents
    | where Timestamp >= datetime(2023-01-13) and Timestamp < datetime(2023-01-14)
    | where ActionType contains "BrowserLaunchedToOpenUrl"
    | where RemoteUrl endswith ".lnk"
    | where RemoteUrl contains "start menu"
    | summarize by Timestamp, DeviceName, DeviceId, RemoteUrl,ActionType
    | sort by Timestamp asc

     

    Let me know if this helps!

    • MikeP751860's avatar
      MikeP751860
      Brass Contributor

      Morning sjf_ch,

       

      Thank-you for the great reply. Putting your query to work now but having to use Sentinel as we are getting more than 10000 records. Did try to see if I could add the AV signature as a column but failed to get that to work correctly.

       

      Mike

       

    • MikeP751860's avatar
      MikeP751860
      Brass Contributor
      Hi Heike,

      Thanks for the link. We have already reviewed and using the script for the core applications but it doesn't help us with the discovery of the business applications which have been impacted.

      Really need a list of every shortcut lnk file which has been deleted from the machines but cannot find that information in our device timelines which means I can't search it in advanced hunting.
    • MikeP751860's avatar
      MikeP751860
      Brass Contributor

      Hi yongrheemsft, not tried the script as it wouldn't help us. 

       

      We have an estate of 6000 devices onboarded to Defender and Intune managed. No way to centrally report the data back but I can't trust that the ASR events has been recorded as we have proof that devices have had shortcuts removed and the Defender advanced hunting has not reported an ASR event for the file.

       

      Mike

      • yongrheemsft's avatar
        yongrheemsft
        Icon for Microsoft rankMicrosoft
        MikeP751860 please try the following Advanced Hunting query:
        DeviceEvents
        | where Timestamp >= datetime(2023-01-13) and Timestamp < datetime(2023-01-14)
        | where ActionType contains "BrowserLaunchedToOpenUrl"
        | where RemoteUrl endswith ".lnk"
        | where RemoteUrl contains "start menu"
        | summarize by Timestamp, DeviceName, DeviceId, RemoteUrl,ActionType
        | sort by Timestamp asc

Resources