Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0003 ✕ technique: T1204 ✕
Show ATT&CK heatmapOffice process accessed an unusual .LNK file Low
An attacker may embed a .LNK file in an Office document to execute malicious code.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: User Execution (T1204) Boot or Logon Autostart Execution: Shortcut Modification (T1547.009)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Modify or create a shortcut to gain code or program execution.Investigative actions: Check if the Office document contains a shortcut object. Check the content (strings) of the document object for a .LNK shortcut. Check the content of the shortcut.