This detection rule identifies the creation of symbolic or hard links on endpoint systems, which can be indicative of malicious activities, particularly those associated with advanced persistent threats (APTs) like APT29 and APT43. Symbolic links are often utilized by threat actors to obscure the execution of malicious files or to gain persistent access to resources within a system. The rule specifically targets actions common in various cyber-attack techniques, including persistence through shortcut modification and privilege escalation. The underlying logic utilizes Splunk to filter event logs for the creation of symbolic links identified by specific commands such as 'New-Item' or 'mklink'. This rule aims to monitor for potentially malicious behaviors that could indicate a breach or compromise, especially in the context of ongoing threats linked to Russia and Ukraine. It also encompasses various malware variants known to exploit these techniques, ensuring broad coverage against known threat actor tactics.