Forum Discussion
Microsoft Defender KQL query for deletion lnk files - Following Friday 13th Event
Hi, Following the Friday 13th event with Defender ASR block and removing of shortcut links. Has anyone been able to use the Defender Timeline information on assets to report on the shortcut links...
yongrheemsft Already using that query but you can't tell if the machine was affected by the problem signatures so you have to assume the worst case. Would be helpful if you can tie the machine signature details to the timestamp for filtering.
yongrheemsft
Microsoft
MicrosoftMikeP751860 the following AH query should do the trick: let badsignatures = dynamic(['1.381.2134.0','1.381.2140.0','1.381.2152.0','1.381.2163.0']);
let shortcuts = DeviceEvents
//| where Timestamp >= datetime(2023-01-13) and Timestamp < datetime(2023-01-14)
| where ActionType contains "BrowserLaunchedToOpenUrl"
| where RemoteUrl endswith ".lnk"
| where RemoteUrl contains "start menu"
| summarize by Timestamp, DeviceName, DeviceId, RemoteUrl,ActionType
| sort by Timestamp asc;
//let badsignatures = dynamic(['1.381.2134.0','1.381.2140.0','1.381.2152.0','1.381.2163.0']);
DeviceTvmInfoGathering
| evaluate bag_unpack(AdditionalFields)
| where isnotempty( AvSignatureVersion )
| join kind=inner (shortcuts) on DeviceId
| summarize arg_max(Timestamp,*) by DeviceId
| project DeviceName, AvSignatureVersion, AvPlatformVersion, AvEngineVersion, RemoteUrl,ActionType //Timestamp,
| where AvSignatureVersion in (badsignatures)
let shortcuts = DeviceEvents
//| where Timestamp >= datetime(2023-01-13) and Timestamp < datetime(2023-01-14)
| where ActionType contains "BrowserLaunchedToOpenUrl"
| where RemoteUrl endswith ".lnk"
| where RemoteUrl contains "start menu"
| summarize by Timestamp, DeviceName, DeviceId, RemoteUrl,ActionType
| sort by Timestamp asc;
//let badsignatures = dynamic(['1.381.2134.0','1.381.2140.0','1.381.2152.0','1.381.2163.0']);
DeviceTvmInfoGathering
| evaluate bag_unpack(AdditionalFields)
| where isnotempty( AvSignatureVersion )
| join kind=inner (shortcuts) on DeviceId
| summarize arg_max(Timestamp,*) by DeviceId
| project DeviceName, AvSignatureVersion, AvPlatformVersion, AvEngineVersion, RemoteUrl,ActionType //Timestamp,
| where AvSignatureVersion in (badsignatures)
yongrheemsft Tried the AH query but the returned data records is too small.
When you exclude '| where AvSignatureVersion in (badsignatures)' from the query and in my case see most of the machines have an AV signature version of 1.381.2325.0.
- I think you might of missed the point. The 'shortcuts' let query is filtered to the timestamp range (2023-01-13 to 2023-01-14) so how can you have a signature of 1.381.2325.0 which was released on the 1/17/2023 11:11:14 AM?
- yongrheemsft//| where Timestamp >= datetime(2023-01-13) and Timestamp < datetime(2023-01-14), it's commented out since it starts with //
- yongrheemsftThat is good, that version doesn't have the problem. The query is checking for machines in the last 30 days that had the problematic version and lists the shortcuts. Thx.