splApache-2.0from splunk/security_content
Windows DNS Query Request To TinyUrl
The following analytic detects a process located in a potentially suspicious location making DNS queries to known URL shortening services, specifically tinyurl. URL shorteners are frequently used by threat actors to obfuscate malicious destinations, including phishing pages, malware distribution sites, or command-and-control (C2) endpoints. While tinyurl.com is a legitimate service, its use in enterprise environments—particularly by non-browser processes or scripts—should be considered suspicious, especially if correlated with subsequent outbound connections, file downloads, process file path or credential prompts. Analysts should investigate the source process, execution context, and destination domain to determine intent and risk.
Quality
19
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_dns_query_request_to_tinyurl.yml
`sysmon`
EventCode=22
QueryName = "tinyurl.com"
Image IN (
"*\\AppData\\*",
"*\\Perflogs\\*",
"*\\ProgramData\\*",
"*\\Temp\\*",
"*\\Users\\Public\\*",
"*\\Windows\\Tasks\\*"
)
| stats count min(_time) as firstTime max(_time) as lastTime
by answer answer_count dvc process_exec process_guid process_name query query_count
reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_dns_query_request_to_tinyurl_filter`