KQL Search

Query Details

HomeAI ToolsDevice Query

APT Stealth Falcon CVE 2025 33053 Detection

Query

// APT Stealth Falcon - CVE-2025-33053 Detection
// https://research.checkpoint.com/2025/stealth-falcon-zero-day/

let QueryPeriod = 1h;
let DevicewithDotURL =
DeviceFileEvents
| where Timestamp > ago(QueryPeriod)
| where ActionType == "FileCreated"
| where tolower(FileName) endswith ".url"
| distinct DeviceName;
DeviceProcessEvents
| where Timestamp > ago(QueryPeriod)
| where InitiatingProcessFileName =~ "iediagcmd.exe" and FileName =~ "route.exe"
| where FolderPath startswith "\\"
| where DeviceName has_any(DevicewithDotURL)

Explanation

This KQL (Kusto Query Language) query is designed to detect a specific threat activity related to the APT (Advanced Persistent Threat) group known as Stealth Falcon, exploiting a hypothetical vulnerability identified as CVE-2025-33053. Here's a simplified breakdown of what the query does:

  1. Define the Query Period: The query looks at data from the past hour (1h).

  2. Identify Devices with Specific File Events:

    • It searches for file events where a file with a .url extension was created.
    • It filters these events to only include those that occurred within the last hour.
    • It collects a list of distinct device names where these .url files were created.

  3. Detect Suspicious Process Activity:

    • It looks for process events within the last hour.
    • It specifically searches for instances where the process iediagcmd.exe initiated the execution of route.exe.
    • It further filters these events to include only those where the folder path starts with a backslash (\\), indicating a network path.
    • Finally, it checks if these events occurred on any of the devices identified in the first step (those with .url file creation).

In summary, this query is designed to detect suspicious activity that could indicate exploitation of a vulnerability by checking for specific file creation and process execution patterns on devices.

Details

Steven Lim profile picture

Steven Lim

Released: June 11, 2025

Tables

DeviceFileEventsDeviceProcessEvents

Keywords

DeviceFileEventsDeviceProcessEventsTimestampActionTypeFileNameDeviceNameInitiatingProcessFileNameFolderPath

Operators

let|where>ago==tolowerendswithdistinct=~startswithhas_any

Actions