This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 82%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Hi everyone,
I've been trying to create a hunting query in the Defender portal to identify when a malicious .lnk file is created. I noticed that an interesting event to detect and analyze this is "DeviceEvents --> ShellLinkCreateFileEvent", as the AdditionalFields include information such as ShellLinkIconPath, ShellLinkRunAsAdmin, or even the arguments used to execute the .lnk file (ShellLinkCommandLine, which is the most interesting one).
However, the target file of the shortcut is not displayed! This is the most basic information that should appear.
Do you know if this will be included in the future? Is it possible to obtain this information from another event by doing a join?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Hi @viri4to
Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Have you not got the details in the FileName column, or columns that start with "Initiating..."? especially InitiatingProcessCommandLine
DeviceEvents
| where AdditionalFields contains "shellLink"
| mv-expand AdditionalFields
| distinct tostring(AdditionalFields), FileName, FolderPath, InitiatingProcessCommandLine, InitiatingProcessFileName
Hello guys, sorry, I was on vacation.
No, Clive, the log does not show that information, as the FileName field contains the name of the LNK file you created, and the initiatingProcessFileName field shows the process that created that LNK file. Therefore, the information about which executable the LNK points to does not appear.
Here's an example: as you can see in the device timeline, it does show that the LNK file targets Conhost.exe.
However, in the logs from the hunting query, the Target does not appear, as can be observed.
I think it would be good to add the target in the additional fields as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 32%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EU7%3C/text%3E%3C/svg%3E)
Hello,
I noticed sometime this information is available in "AdditionalDetail" column key "ShellLinkIconPath".
I don't know why this information is sometime lacking though.
Hey man, yeah I saw that field too, but keep in mind it's the path to the icon used by the .lnk, not the target file it executes. I didn't check it, but maybe it doesn't appear sometimes because the .lnk file uses the default icon.