Hi Heike,

Thanks for the link. We have already reviewed and using the script for the core applications but it doesn't help us with the discovery of the business applications which have been impacted.

Really need a list of every shortcut lnk file which has been deleted from the machines but cannot find that information in our device timelines which means I can't search it in advanced hunting.

During my investigations I have come across the Microsoft Store application Windows File Recovery - https://apps.microsoft.com/store/detail/windows-file-recovery/9N26S50LN705.

It appears will only install in user context, if we could get it to install in the system context then maybe it could help customers to restore files.

Morning @sjf_ch,

 

Thank-you for the great reply. Putting your query to work now but having to use Sentinel as we are getting more than 10000 records. Did try to see if I could add the AV signature as a column but failed to get that to work correctly.

 

Mike

 

Hi @Yong Rhee, not tried the script as it wouldn't help us. 

 

We have an estate of 6000 devices onboarded to Defender and Intune managed. No way to centrally report the data back but I can't trust that the ASR events has been recorded as we have proof that devices have had shortcuts removed and the Defender advanced hunting has not reported an ASR event for the file.

 

Mike

@MikeP751860 please try the following Advanced Hunting query:
DeviceEvents
| where Timestamp >= datetime(2023-01-13) and Timestamp < datetime(2023-01-14)
| where ActionType contains "BrowserLaunchedToOpenUrl"
| where RemoteUrl endswith ".lnk"
| where RemoteUrl contains "start menu"
| summarize by Timestamp, DeviceName, DeviceId, RemoteUrl,ActionType
| sort by Timestamp asc

@Yong Rhee Already using that query but you can't tell if the machine was affected by the problem signatures so you have to assume the worst case. Would be helpful if you can tie the machine signature details to the timestamp for filtering.

 

 

Quickly put together this PowerShell script to extract all shortcuts from a normal machine.

# ------------------------------------------ [Parameters] --------------------------------------------------
# Path to search
$Path = "C:\ProgramData\Microsoft\Windows\Start Menu"
$CSVFile = "c:\testing\shortcut-data.csv"

# ------------------------------------------ [Functions] ---------------------------------------------------

# Function taken from web site - https://stackoverflow.com/questions/484560/editing-shortcut-lnk-properties-with-powershell#:~:text=A....
function Get-Shortcut {
param(
$path = $null
)

$obj = New-Object -ComObject WScript.Shell

if ($path -eq $null) {
$pathUser = [System.Environment]::GetFolderPath('StartMenu')
$pathCommon = $obj.SpecialFolders.Item('AllUsersStartMenu')
$path = dir $pathUser, $pathCommon -Filter *.lnk -Recurse
}
if ($path -is [string]) {
$path = dir $path -Filter *.lnk
}
$path | ForEach-Object {
if ($_ -is [string]) {
$_ = dir $_ -Filter *.lnk
}
if ($_) {
$link = $obj.CreateShortcut($_.FullName)

$info = @{}
$info.Hotkey = $link.Hotkey
$info.TargetPath = $link.TargetPath
$info.LinkPath = $link.FullName
$info.Arguments = $link.Arguments
$info.Target = try {Split-Path $info.TargetPath -Leaf } catch { 'n/a'}
$info.Link = try { Split-Path $info.LinkPath -Leaf } catch { 'n/a'}
$info.WindowStyle = $link.WindowStyle
$info.IconLocation = $link.IconLocation

New-Object PSObject -Property $info
}
}
}

# -------------------------------------------------[ Main Code] --------------------------------------------

#Get Lnk files
$Files = Get-ChildItem -Path $Path -Recurse -Filter "*.lnk" |select Name, DirectoryName, BaseName, FullName | ForEach-Object {Get-Shortcut}

#Export to CSV file
$Files | Export-Csv -Path $CSVFile -NoClobber -NoTypeInformation

@MikeP751860 the following AH query should do the trick: let badsignatures = dynamic(['1.381.2134.0','1.381.2140.0','1.381.2152.0','1.381.2163.0']);
let shortcuts = DeviceEvents
//| where Timestamp >= datetime(2023-01-13) and Timestamp < datetime(2023-01-14)
| where ActionType contains "BrowserLaunchedToOpenUrl"
| where RemoteUrl endswith ".lnk"
| where RemoteUrl contains "start menu"
| summarize by Timestamp, DeviceName, DeviceId, RemoteUrl,ActionType
| sort by Timestamp asc;
//let badsignatures = dynamic(['1.381.2134.0','1.381.2140.0','1.381.2152.0','1.381.2163.0']);
DeviceTvmInfoGathering
| evaluate bag_unpack(AdditionalFields)
| where isnotempty( AvSignatureVersion )
| join kind=inner (shortcuts) on DeviceId
| summarize arg_max(Timestamp,*) by DeviceId
| project DeviceName, AvSignatureVersion, AvPlatformVersion, AvEngineVersion, RemoteUrl,ActionType //Timestamp,
| where AvSignatureVersion in (badsignatures)

@Yong Rhee Tried the AH query but the returned data records is too small. 

 

When you exclude '| where AvSignatureVersion in (badsignatures)' from the query and in my case see most of the machines have an AV signature version of 1.381.2325.0.

That is good, that version doesn't have the problem. The query is checking for machines in the last 30 days that had the problematic version and lists the shortcuts. Thx.

I think you might of missed the point. The 'shortcuts' let query is filtered to the timestamp range (2023-01-13 to 2023-01-14) so how can you have a signature of 1.381.2325.0 which was released on the 1/17/2023 11:11:14 AM?

//| where Timestamp >= datetime(2023-01-13) and Timestamp < datetime(2023-01-14), it's commented out since it starts with //