@cR0w I've blocked .lnk on my SEG and web proxy. So far no complaints or tickets 1 year in. Of course they could be loaded other ways.. I have a test EDR policy for .lnk creation in /Downloads/. That file type just sucks, but it's not like an .hta I can outright block system-wide.
I'm sure I'm forgetting other places I could limit .lnks. Open to ideas!
@badsamurai Ok, but joking aside, this gets me thinking about baselines again: For filetypes that are unlikely to be generated by users in weird places: if the org has decent application control & homogeneous clients regularly generating an allow-list for non-sus folders might actually be feasible (especially if you have something like a super-client with all allowed software installed)?
Doing some quick testing on my personal Windows ... there aren't that many paths:
B'ad Samurai 🐐
../../nyanbinary
/Users/<username>/Desktop/
/Users/<username>/Links/
/Users/<username>/OneDrive/
a bunch of /Windows/
one /Program Files (x86)/<application>/ folder
Obviously will be more & more diverse in an actual org but might still be worth checking should one really want to restrict this as much as possible?