Forum Discussion

MikeP751860's avatar
MikeP751860
Brass Contributor
Jan 16, 2023

Microsoft Defender KQL query for deletion lnk files - Following Friday 13th Event

Hi,   Following the Friday 13th event with Defender ASR block and removing of shortcut links. Has anyone been able to use the Defender Timeline information on assets to report on the shortcut links...
MikeP751860's avatar
MikeP751860
Brass Contributor
Jan 17, 2023

yongrheemsft Tried the AH query but the returned data records is too small. 

 

When you exclude '| where AvSignatureVersion in (badsignatures)' from the query and in my case see most of the machines have an AV signature version of 1.381.2325.0.

yongrheemsft's avatar
yongrheemsft
Icon for Microsoft rankMicrosoft
Jan 17, 2023
That is good, that version doesn't have the problem. The query is checking for machines in the last 30 days that had the problematic version and lists the shortcuts. Thx.

Resources