[BUG] Logic Problem of Process Creating LNK file in Suspicious Location scenario

[thegreatmhn]

Hi in my opinion the logic of Process Creating LNK file in Suspicious Location scenario have problem and beacuse of this problems it cause huge amount of FPs
the first problem is the lak of Filesystem.image filed to determine which binary create this lnk file
after that in every file handle based that achived by a process a lnk file will created based on this handle achivement
so lets dissect the created file structure based on my opinion
image we open a excel file called mahdi.csv based on the handle that excel.exe process achived on mahdi.csv this file will be create --> mahdi.csv.lnk
so the first thing we have to do is extract the real extension based on it
the real extension is csv so first we have to achive the real extension with regex after that exclude the expected binray and extension like
| search NOT image="*\exel.exe" AND extension=".csv"
without this logic the investigation of this scenario is useless.

[nasbench]

The lack of an image field is an issue that is addressed and will be reflected in future TA updates.

As for the detection itself, it has other issues in the logic itself.

Already have a fix in mind. Thanks for pointing this out.