New

The executive guide to generative AI

Read more

Downloaded URL Files

edit

Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.

Rule type: eql

Rule indices:

  • logs-endpoint.events.file-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Execution
  • Data Source: Elastic Defend
  • Rule Type: BBR

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
file where host.os.type == "windows" and event.type == "creation" and file.extension == "url"
   and file.Ext.windows.zone_identifier > 1 and not process.name : "explorer.exe"

Framework: MITRE ATT&CKTM

On this page

Was this helpful?
Feedback