KQL Search

Query Details

HomeAI ToolsDevice Query

ZDI CAN 25373 Windows Shortcut Exploit Abused Detection

Query

// https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html

let MonitoredCommands = dynamic(["cmd","powershell"]);
DeviceEvents
| where Timestamp > ago(1h)
| where ActionType == "ShellLinkCreateFileEvent"
| where tostring(AdditionalFields) contains "ShellLink"
| where parse_json(AdditionalFields)["ShellLinkShowCommand"] != 'SW_SHOWNORMAL'
| extend ShellLinkCommandLine = parse_json(AdditionalFields)["ShellLinkCommandLine"]
| extend ShellLinkIconPath = parse_json(AdditionalFields)["ShellLinkIconPath"]
| where ShellLinkCommandLine != ""
| where ShellLinkCommandLine has_any (MonitoredCommands)

Explanation

This query is designed to detect potentially suspicious activity related to the creation of Windows shortcut files (also known as Shell Links) within the last hour. Here's a breakdown of what it does:

  1. Monitored Commands: It defines a list of commands to monitor, specifically "cmd" and "powershell", which are common command-line interfaces in Windows.

  2. Data Source: It examines data from DeviceEvents, which likely contains logs of various events on devices.

  3. Time Filter: It filters the events to only include those that have occurred within the last hour (Timestamp > ago(1h)).

  4. Event Type: It looks for events where a Shell Link (shortcut) file was created (ActionType == "ShellLinkCreateFileEvent").

  5. Additional Fields: It checks that the AdditionalFields contain information about a Shell Link and that the ShellLinkShowCommand is not set to 'SW_SHOWNORMAL', which is the normal display mode for shortcuts.

  6. Extract Information: It extracts the command line and icon path associated with the Shell Link from the AdditionalFields.

  7. Command Line Check: It ensures that the ShellLinkCommandLine is not empty and contains any of the monitored commands ("cmd" or "powershell").

In summary, this query is looking for shortcut files created in the last hour that execute command-line operations using "cmd" or "powershell", which might indicate a potential security threat or exploitation attempt.

Details

Steven Lim profile picture

Steven Lim

Released: March 20, 2025

Tables

DeviceEvents

Keywords

DeviceEvents

Operators

letdynamic|where>ago==tostringcontainsparse_json!=extendhas_any

Actions