Name:Windows User Execution Malicious URL Shortcut File id:5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc version:6 date:2025-02-10 author:Teoderick Contreras, Splunk status:production type:TTP Description:The following analytic detects the creation of suspicious URL shortcut link files, often used by malware like CHAOS ransomware. It leverages the Endpoint.Filesystem datamodel to identify .url files created outside standard directories, such as Program Files. This activity is significant as it may indicate an attempt to execute malicious code upon system reboot. If confirmed malicious, this could allow an attacker to achieve persistence and execute harmful payloads, potentially leading to further system compromise and data loss. Data_source:
-Sysmon EventID 11
search:|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where NOT(Filesystem.file_path IN ("*\\Program Files*")) Filesystem.file_name = *.url by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_execution_malicious_url_shortcut_file_filter`
how_to_implement:To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. known_false_positives:Administrators may allow creation of script or exe in this path. References: -https://attack.mitre.org/techniques/T1204/002/ -https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia drilldown_searches: name:'View the detection results for - "$user$" and "$dest$"' search:'%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$" and "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Chaos Ransomware' - 'NjRAT' - 'Snake Keylogger' asset_type:Endpoint mitre_attack_id: - 'T1204.002' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
