This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 82%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Hi everyone,
I've been trying to create a hunting query in the Defender portal to identify when a malicious .lnk file is created. I noticed that an interesting event to detect and analyze this is "DeviceEvents --> ShellLinkCreateFileEvent", as the AdditionalFields include information such as ShellLinkIconPath, ShellLinkRunAsAdmin, or even the arguments used to execute the .lnk file (ShellLinkCommandLine, which is the most interesting one).
However, the target file of the shortcut is not displayed! This is the most basic information that should appear.
Do you know if this will be included in the future? Is it possible to obtain this information from another event by doing a join?