EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Process Creating LNK file in Suspicious Location

The following analytic detects a process creating a `.lnk` file in suspicious locations such as `C:\User*` or `*\Local\Temp\*`. It leverages filesystem and process activity data from the Endpoint data model to identify this behavior. This activity can be significant because creating `.lnk` files in these directories is a common indicator of spear phishing tools to establish persistence or execute malicious payloads. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code, or further compromise the system.

MITRE ATT&CK

T1566.002

Detection Query

| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

FROM datamodel=Endpoint.Filesystem where

Filesystem.action="created"
Filesystem.file_name="*.lnk"
Filesystem.file_path IN (
  "*:\\AppData\\Local\\Temp\\*",
  "*:\\Temp\\*",
  "*:\\Users\\*",
  "*:\\Windows\\Temp\\*"
)
NOT Filesystem.file_path IN (
  "*\\AppData\\Local\\Microsoft\\Windows\\WinX\\*",
  "*\\AppData\\Roaming\\Microsoft\\Excel\\*",
  "*\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*",
  "*\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*",
  "*\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*",
  "*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*",
  "*\\AppData\\Roaming\\Microsoft\\Word\\*",
  "*\\Links\\*",
  "*\\OneDrive *"
)

by Filesystem.action Filesystem.dest Filesystem.file_access_time
   Filesystem.file_create_time Filesystem.file_hash
   Filesystem.file_modify_time Filesystem.file_name
   Filesystem.file_path Filesystem.file_acl Filesystem.file_size
   Filesystem.process_guid Filesystem.process_id
   Filesystem.user Filesystem.vendor_product

| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `process_creating_lnk_file_in_suspicious_location_filter`

Author

Jose Hernandez, Michael Haag, Splunk

Created

2026-04-15

Data Sources

Sysmon EventID 11

References

Tags

Spearphishing AttachmentsQakbotIcedIDAmadeyGozi MalwareAPT37 Rustonotto and FadeStealerBlankGrabber Stealer
Raw Content
name: Process Creating LNK file in Suspicious Location
id: 5d814af1-1041-47b5-a9ac-d754e82e9a26
version: 16
date: '2026-04-15'
author: Jose Hernandez, Michael Haag, Splunk
status: production
type: Anomaly
description: |
    The following analytic detects a process creating a `.lnk` file in suspicious locations such as `C:\User*` or `*\Local\Temp\*`.
    It leverages filesystem and process activity data from the Endpoint data model to identify this behavior.
    This activity can be significant because creating `.lnk` files in these directories is a common indicator of spear phishing tools to establish persistence or execute malicious payloads.
    If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code, or further compromise the system.
data_source:
    - Sysmon EventID 11
search: |
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
            max(_time) as lastTime

    FROM datamodel=Endpoint.Filesystem where

    Filesystem.action="created"
    Filesystem.file_name="*.lnk"
    Filesystem.file_path IN (
      "*:\\AppData\\Local\\Temp\\*",
      "*:\\Temp\\*",
      "*:\\Users\\*",
      "*:\\Windows\\Temp\\*"
    )
    NOT Filesystem.file_path IN (
      "*\\AppData\\Local\\Microsoft\\Windows\\WinX\\*",
      "*\\AppData\\Roaming\\Microsoft\\Excel\\*",
      "*\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*",
      "*\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*",
      "*\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*",
      "*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*",
      "*\\AppData\\Roaming\\Microsoft\\Word\\*",
      "*\\Links\\*",
      "*\\OneDrive *"
    )

    by Filesystem.action Filesystem.dest Filesystem.file_access_time
       Filesystem.file_create_time Filesystem.file_hash
       Filesystem.file_modify_time Filesystem.file_name
       Filesystem.file_path Filesystem.file_acl Filesystem.file_size
       Filesystem.process_guid Filesystem.process_id
       Filesystem.user Filesystem.vendor_product

    | `drop_dm_object_name(Filesystem)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `process_creating_lnk_file_in_suspicious_location_filter`
how_to_implement: |
    You must be ingesting data that records filesystem and process activity
    from your hosts to populate the Endpoint data model. This is typically populated
    via endpoint detection-and-response product, such as Carbon Black, or endpoint data
    sources, such as Sysmon.
known_false_positives: |
    False positives are expected to occur, since `.lnk` files can be created legitimately
    by users or applications. To reduce false positives. To reduce noise, think of joining this to the process that created the LNK file and see if it's a known good process.
references:
    - https://attack.mitre.org/techniques/T1566/001/
    - https://www.trendmicro.com/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html
    - https://twitter.com/pr0xylife/status/1590394227758104576
drilldown_searches:
    - name: View the detection results for - "$dest$" and "$user$"
      search: '%original_detection_search% | search  dest = "$dest$" user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$" and "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
rba:
    message: A shortcut file [$file_name$] was created in $file_path$ on the host $dest$
    risk_objects:
        - field: dest
          type: system
          score: 20
        - field: user
          type: user
          score: 20
    threat_objects:
        - field: file_name
          type: file_name
        - field: file_path
          type: file_path
tags:
    analytic_story:
        - Spearphishing Attachments
        - Qakbot
        - IcedID
        - Amadey
        - Gozi Malware
        - APT37 Rustonotto and FadeStealer
        - BlankGrabber Stealer
    asset_type: Endpoint
    mitre_attack_id:
        - T1566.002
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog