Forum Discussion

MikeP751860's avatar
MikeP751860
Copper Contributor
Jan 16, 2023

Microsoft Defender KQL query for deletion lnk files - Following Friday 13th Event

Hi,   Following the Friday 13th event with Defender ASR block and removing of shortcut links. Has anyone been able to use the Defender Timeline information on assets to report on the shortcut links...
  • MikeP751860's avatar
    MikeP751860
    Copper Contributor
    Jan 17, 2023

    Hi yongrheemsft, not tried the script as it wouldn't help us. 

     

    We have an estate of 6000 devices onboarded to Defender and Intune managed. No way to centrally report the data back but I can't trust that the ASR events has been recorded as we have proof that devices have had shortcuts removed and the Defender advanced hunting has not reported an ASR event for the file.

     

    Mike

    • yongrheemsft's avatar
      yongrheemsft
      Icon for Microsoft rankMicrosoft
      Jan 17, 2023
      MikeP751860 please try the following Advanced Hunting query:
      DeviceEvents
      | where Timestamp >= datetime(2023-01-13) and Timestamp < datetime(2023-01-14)
      | where ActionType contains "BrowserLaunchedToOpenUrl"
      | where RemoteUrl endswith ".lnk"
      | where RemoteUrl contains "start menu"
      | summarize by Timestamp, DeviceName, DeviceId, RemoteUrl,ActionType
      | sort by Timestamp asc
      • MikeP751860's avatar
        MikeP751860
        Copper Contributor
        Jan 17, 2023

        yongrheemsft Already using that query but you can't tell if the machine was affected by the problem signatures so you have to assume the worst case. Would be helpful if you can tie the machine signature details to the timestamp for filtering.

         

         

Resources