KQL Search

Query Details

HomeAI ToolsDevice Query

TA4557 Drops More Eggs

Query

// TA4557 drops More_Eggs
// https://www.proofpoint.com/au/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email

let MonitoredCommands = dynamic(["ie4uinit","ie4uinit.exe"]);
DeviceEvents
| where Timestamp > ago(1hr)
| where ActionType == "ShellLinkCreateFileEvent"
| where tostring(AdditionalFields) contains "ShellLink"
| where parse_json(AdditionalFields)["ShellLinkShowCommand"] != 'SW_SHOWNORMAL'
| extend ShellLinkCommandLine = parse_json(AdditionalFields)["ShellLinkCommandLine"]
| extend ShellLinkIconPath = parse_json(AdditionalFields)["ShellLinkIconPath"]
| where ShellLinkCommandLine != ""
| where ShellLinkCommandLine has_any (MonitoredCommands)

Explanation

This KQL (Kusto Query Language) query is designed to monitor and detect specific suspicious activities related to the creation of shell link files (shortcuts) on devices. Here's a simplified breakdown of what the query does:

  1. Define Monitored Commands: It starts by defining a list of commands (ie4uinit and ie4uinit.exe) that are of interest and need to be monitored.

  2. Filter Device Events: The query looks at device events that have occurred in the last hour.

  3. Identify Shell Link Creation: It specifically filters for events where a shell link (shortcut) file is created (ActionType == "ShellLinkCreateFileEvent").

  4. Check Additional Fields: It checks the AdditionalFields to ensure it contains the term "ShellLink" and that the shell link's show command is not set to 'SW_SHOWNORMAL', which is the normal display mode.

  5. Extract Command Line and Icon Path: It extracts the command line and icon path associated with the shell link from the AdditionalFields.

  6. Filter Non-Empty Command Lines: It ensures that the command line extracted is not empty.

  7. Match Monitored Commands: Finally, it checks if the command line contains any of the monitored commands (ie4uinit or ie4uinit.exe).

In summary, this query is used to detect potentially malicious shortcut files that execute specific commands, which could indicate suspicious activity or a security threat, such as the activity of a known threat actor (TA4557) dropping malware like "More_Eggs".

Details

Steven Lim profile picture

Steven Lim

Released: June 16, 2025

Tables

DeviceEvents

Keywords

DeviceEvents

Operators

letdynamic>ago==tostringcontainsparse_json!=extendhas_any

Actions