Forum Discussion
Microsoft Defender KQL query for deletion lnk files - Following Friday 13th Event
Hi, Following the Friday 13th event with Defender ASR block and removing of shortcut links. Has anyone been able to use the Defender Timeline information on assets to report on the shortcut links...
yongrheemsft Already using that query but you can't tell if the machine was affected by the problem signatures so you have to assume the worst case. Would be helpful if you can tie the machine signature details to the timestamp for filtering.
Quickly put together this PowerShell script to extract all shortcuts from a normal machine.
# ------------------------------------------ [Parameters] --------------------------------------------------
# Path to search
$Path = "C:\ProgramData\Microsoft\Windows\Start Menu"
$CSVFile = "c:\testing\shortcut-data.csv"
# ------------------------------------------ [Functions] ---------------------------------------------------
# Function taken from web site - https://stackoverflow.com/questions/484560/editing-shortcut-lnk-properties-with-powershell#:~:text=A%20short%20addition%20to%20%40JasonMArcher%27s%20answer..%20To%20see,will%20print%20all%20properties%20and%20their%20current%20values.
function Get-Shortcut {
param(
$path = $null
)
$obj = New-Object -ComObject WScript.Shell
if ($path -eq $null) {
$pathUser = [System.Environment]::GetFolderPath('StartMenu')
$pathCommon = $obj.SpecialFolders.Item('AllUsersStartMenu')
$path = dir $pathUser, $pathCommon -Filter *.lnk -Recurse
}
if ($path -is [string]) {
$path = dir $path -Filter *.lnk
}
$path | ForEach-Object {
if ($_ -is [string]) {
$_ = dir $_ -Filter *.lnk
}
if ($_) {
$link = $obj.CreateShortcut($_.FullName)
$info = @{}
$info.Hotkey = $link.Hotkey
$info.TargetPath = $link.TargetPath
$info.LinkPath = $link.FullName
$info.Arguments = $link.Arguments
$info.Target = try {Split-Path $info.TargetPath -Leaf } catch { 'n/a'}
$info.Link = try { Split-Path $info.LinkPath -Leaf } catch { 'n/a'}
$info.WindowStyle = $link.WindowStyle
$info.IconLocation = $link.IconLocation
New-Object PSObject -Property $info
}
}
}
# -------------------------------------------------[ Main Code] --------------------------------------------
#Get Lnk files
$Files = Get-ChildItem -Path $Path -Recurse -Filter "*.lnk" |select Name, DirectoryName, BaseName, FullName | ForEach-Object {Get-Shortcut}
#Export to CSV file
$Files | Export-Csv -Path $CSVFile -NoClobber -NoTypeInformation
# ------------------------------------------ [Parameters] --------------------------------------------------
# Path to search
$Path = "C:\ProgramData\Microsoft\Windows\Start Menu"
$CSVFile = "c:\testing\shortcut-data.csv"
# ------------------------------------------ [Functions] ---------------------------------------------------
# Function taken from web site - https://stackoverflow.com/questions/484560/editing-shortcut-lnk-properties-with-powershell#:~:text=A%20short%20addition%20to%20%40JasonMArcher%27s%20answer..%20To%20see,will%20print%20all%20properties%20and%20their%20current%20values.
function Get-Shortcut {
param(
$path = $null
)
$obj = New-Object -ComObject WScript.Shell
if ($path -eq $null) {
$pathUser = [System.Environment]::GetFolderPath('StartMenu')
$pathCommon = $obj.SpecialFolders.Item('AllUsersStartMenu')
$path = dir $pathUser, $pathCommon -Filter *.lnk -Recurse
}
if ($path -is [string]) {
$path = dir $path -Filter *.lnk
}
$path | ForEach-Object {
if ($_ -is [string]) {
$_ = dir $_ -Filter *.lnk
}
if ($_) {
$link = $obj.CreateShortcut($_.FullName)
$info = @{}
$info.Hotkey = $link.Hotkey
$info.TargetPath = $link.TargetPath
$info.LinkPath = $link.FullName
$info.Arguments = $link.Arguments
$info.Target = try {Split-Path $info.TargetPath -Leaf } catch { 'n/a'}
$info.Link = try { Split-Path $info.LinkPath -Leaf } catch { 'n/a'}
$info.WindowStyle = $link.WindowStyle
$info.IconLocation = $link.IconLocation
New-Object PSObject -Property $info
}
}
}
# -------------------------------------------------[ Main Code] --------------------------------------------
#Get Lnk files
$Files = Get-ChildItem -Path $Path -Recurse -Filter "*.lnk" |select Name, DirectoryName, BaseName, FullName | ForEach-Object {Get-Shortcut}
#Export to CSV file
$Files | Export-Csv -Path $CSVFile -NoClobber -NoTypeInformation