APT Stealth Falcon CVE 2025 33053 Detection
Query
// APT Stealth Falcon - CVE-2025-33053 Detection
// https://research.checkpoint.com/2025/stealth-falcon-zero-day/
let QueryPeriod = 1h;
let DevicewithDotURL =
DeviceFileEvents
| where Timestamp > ago(QueryPeriod)
| where ActionType == "FileCreated"
| where tolower(FileName) endswith ".url"
| distinct DeviceName;
DeviceProcessEvents
| where Timestamp > ago(QueryPeriod)
| where InitiatingProcessFileName =~ "iediagcmd.exe" and FileName =~ "route.exe"
| where FolderPath startswith "\\"
| where DeviceName has_any(DevicewithDotURL)Explanation
This KQL (Kusto Query Language) query is designed to detect a specific threat activity related to the APT (Advanced Persistent Threat) group known as Stealth Falcon, exploiting a hypothetical vulnerability identified as CVE-2025-33053. Here's a simplified breakdown of what the query does:
-
Define the Query Period: The query looks at data from the past hour (
1h). -
Identify Devices with Specific File Events:
- It searches for file events where a file with a
.urlextension was created. - It filters these events to only include those that occurred within the last hour.
- It collects a list of distinct device names where these
.urlfiles were created.
- It searches for file events where a file with a
-
Detect Suspicious Process Activity:
- It looks for process events within the last hour.
- It specifically searches for instances where the process
iediagcmd.exeinitiated the execution ofroute.exe. - It further filters these events to include only those where the folder path starts with a backslash (
\\), indicating a network path. - Finally, it checks if these events occurred on any of the devices identified in the first step (those with
.urlfile creation).
In summary, this query is designed to detect suspicious activity that could indicate exploitation of a vulnerability by checking for specific file creation and process execution patterns on devices.
Details

Steven Lim
Released: June 11, 2025
Tables
DeviceFileEventsDeviceProcessEvents
Keywords
DeviceFileEventsProcessTimestampActionTypeNameInitiatingFolderPath
Operators
let|where>ago==tolowerendswithdistinct=~startswithhas_any