TA4557 Drops More Eggs
Query
// TA4557 drops More_Eggs
// https://www.proofpoint.com/au/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email
let MonitoredCommands = dynamic(["ie4uinit","ie4uinit.exe"]);
DeviceEvents
| where Timestamp > ago(1hr)
| where ActionType == "ShellLinkCreateFileEvent"
| where tostring(AdditionalFields) contains "ShellLink"
| where parse_json(AdditionalFields)["ShellLinkShowCommand"] != 'SW_SHOWNORMAL'
| extend ShellLinkCommandLine = parse_json(AdditionalFields)["ShellLinkCommandLine"]
| extend ShellLinkIconPath = parse_json(AdditionalFields)["ShellLinkIconPath"]
| where ShellLinkCommandLine != ""
| where ShellLinkCommandLine has_any (MonitoredCommands)Explanation
This KQL (Kusto Query Language) query is designed to monitor and detect specific suspicious activities related to the creation of shell link files (shortcuts) on devices. Here's a simplified breakdown of what the query does:
-
Define Monitored Commands: It starts by defining a list of commands (
ie4uinitandie4uinit.exe) that are of interest and need to be monitored. -
Filter Device Events: The query looks at device events that have occurred in the last hour.
-
Identify Shell Link Creation: It specifically filters for events where a shell link (shortcut) file is created (
ActionType == "ShellLinkCreateFileEvent"). -
Check Additional Fields: It checks the
AdditionalFieldsto ensure it contains the term "ShellLink" and that the shell link's show command is not set to 'SW_SHOWNORMAL', which is the normal display mode. -
Extract Command Line and Icon Path: It extracts the command line and icon path associated with the shell link from the
AdditionalFields. -
Filter Non-Empty Command Lines: It ensures that the command line extracted is not empty.
-
Match Monitored Commands: Finally, it checks if the command line contains any of the monitored commands (
ie4uinitorie4uinit.exe).
In summary, this query is used to detect potentially malicious shortcut files that execute specific commands, which could indicate suspicious activity or a security threat, such as the activity of a known threat actor (TA4557) dropping malware like "More_Eggs".
Details

Steven Lim
Released: June 16, 2025
Tables
Keywords
Operators