Microsoft Defender KQL query for deletion lnk files - Following Friday 13th Event

MikeP751860
Copper Contributor
Jan 17, 2023
yongrheemsft Already using that query but you can't tell if the machine was affected by the problem signatures so you have to assume the worst case. Would be helpful if you can tie the machine signature details to the timestamp for filtering.
- yongrheemsft
  Microsoft
  Jan 17, 2023
  MikeP751860 the following AH query should do the trick: let badsignatures = dynamic(['1.381.2134.0','1.381.2140.0','1.381.2152.0','1.381.2163.0']);
  let shortcuts = DeviceEvents
  //| where Timestamp >= datetime(2023-01-13) and Timestamp < datetime(2023-01-14)
  | where ActionType contains "BrowserLaunchedToOpenUrl"
  | where RemoteUrl endswith ".lnk"
  | where RemoteUrl contains "start menu"
  | summarize by Timestamp, DeviceName, DeviceId, RemoteUrl,ActionType
  | sort by Timestamp asc;
  //let badsignatures = dynamic(['1.381.2134.0','1.381.2140.0','1.381.2152.0','1.381.2163.0']);
  DeviceTvmInfoGathering
  | evaluate bag_unpack(AdditionalFields)
  | where isnotempty( AvSignatureVersion )
  | join kind=inner (shortcuts) on DeviceId
  | summarize arg_max(Timestamp,*) by DeviceId
  | project DeviceName, AvSignatureVersion, AvPlatformVersion, AvEngineVersion, RemoteUrl,ActionType //Timestamp,
  | where AvSignatureVersion in (badsignatures)
  - MikeP751860
    Copper Contributor
    Jan 17, 2023
    yongrheemsft Tried the AH query but the returned data records is too small.
    
    When you exclude '| where AvSignatureVersion in (badsignatures)' from the query and in my case see most of the machines have an AV signature version of 1.381.2325.0.
- MikeP751860
  Copper Contributor
  Jan 17, 2023
  Quickly put together this PowerShell script to extract all shortcuts from a normal machine.
  
  # ------------------------------------------ [Parameters] --------------------------------------------------
  # Path to search
  $Path = "C:\ProgramData\Microsoft\Windows\Start Menu"
  $CSVFile = "c:\testing\shortcut-data.csv"
  
  # ------------------------------------------ [Functions] ---------------------------------------------------
  
  # Function taken from web site - https://stackoverflow.com/questions/484560/editing-shortcut-lnk-properties-with-powershell#:~:text=A%20short%20addition%20to%20%40JasonMArcher%27s%20answer..%20To%20see,will%20print%20all%20properties%20and%20their%20current%20values.
  function Get-Shortcut {
  param(
  $path = $null
  )
  
  $obj = New-Object -ComObject WScript.Shell
  
  if ($path -eq $null) {
  $pathUser = [System.Environment]::GetFolderPath('StartMenu')
  $pathCommon = $obj.SpecialFolders.Item('AllUsersStartMenu')
  $path = dir $pathUser, $pathCommon -Filter *.lnk -Recurse
  }
  if ($path -is [string]) {
  $path = dir $path -Filter *.lnk
  }
  $path | ForEach-Object {
  if ($_ -is [string]) {
  $_ = dir $_ -Filter *.lnk
  }
  if ($_) {
  $link = $obj.CreateShortcut($_.FullName)
  
  $info = @{}
  $info.Hotkey = $link.Hotkey
  $info.TargetPath = $link.TargetPath
  $info.LinkPath = $link.FullName
  $info.Arguments = $link.Arguments
  $info.Target = try {Split-Path $info.TargetPath -Leaf } catch { 'n/a'}
  $info.Link = try { Split-Path $info.LinkPath -Leaf } catch { 'n/a'}
  $info.WindowStyle = $link.WindowStyle
  $info.IconLocation = $link.IconLocation
  
  New-Object PSObject -Property $info
  }
  }
  }
  
  # -------------------------------------------------[ Main Code] --------------------------------------------
  
  #Get Lnk files
  $Files = Get-ChildItem -Path $Path -Recurse -Filter "*.lnk" |select Name, DirectoryName, BaseName, FullName | ForEach-Object {Get-Shortcut}
  
  #Export to CSV file
  $Files | Export-Csv -Path $CSVFile -NoClobber -NoTypeInformation

Forum Discussion

Microsoft Defender KQL query for deletion lnk files - Following Friday 13th Event

Resources