Forum Discussion
Microsoft Defender KQL query for deletion lnk files - Following Friday 13th Event
Hi, Following the Friday 13th event with Defender ASR block and removing of shortcut links. Has anyone been able to use the Defender Timeline information on assets to report on the shortcut links...
I had the same issue as you. The KQL query provided by Microsoft did not return all the deleted .lnk files. In the timeline of our devices I found entries with the ActionType "BrowserLaunchedToOpenUrl" and the additional information "T1204.002: Malicious File". Based on that I built the following query:
DeviceEvents
| where Timestamp >= datetime(2023-01-13) and Timestamp < datetime(2023-01-14)
| where ActionType contains "BrowserLaunchedToOpenUrl"
| where RemoteUrl endswith ".lnk"
| summarize by Timestamp, DeviceName, DeviceId, RemoteUrl,ActionType
| sort by Timestamp asc
The RemoteURL shows the deleted .lnk file.
From there you can further filter for the start menu folder:
DeviceEvents
| where Timestamp >= datetime(2023-01-13) and Timestamp < datetime(2023-01-14)
| where ActionType contains "BrowserLaunchedToOpenUrl"
| where RemoteUrl endswith ".lnk"
| where RemoteUrl contains "start menu"
| summarize by Timestamp, DeviceName, DeviceId, RemoteUrl,ActionType
| sort by Timestamp asc
Let me know if this helps!
Morning sjf_ch,
Thank-you for the great reply. Putting your query to work now but having to use Sentinel as we are getting more than 10000 records. Did try to see if I could add the AV signature as a column but failed to get that to work correctly.
Mike