|
| 1 | +name: Windows Process with TinyUrl DNS Query |
| 2 | +id: b1ea79da-719c-437c-acaf-5c93f838f425 |
| 3 | +version: 1 |
| 4 | +date: '2025-06-02' |
| 5 | +author: Teoderick Contreras, Splunk |
| 6 | +status: production |
| 7 | +type: Anomaly |
| 8 | +description: The following analytic detects a suspicious process making DNS queries to known URL shortening services, specifically tinyurl.com. URL shorteners are frequently used by threat actors to obfuscate malicious destinations, including phishing pages, malware distribution sites, or command-and-control (C2) endpoints. While tinyurl.com is a legitimate service, its use in enterprise environments—particularly by non-browser processes or scripts—should be considered suspicious, especially if correlated with subsequent outbound connections, file downloads, process file path or credential prompts. Analysts should investigate the source process, execution context, and destination domain to determine intent and risk. |
| 9 | +data_source: |
| 10 | +- Sysmon EventID 22 |
| 11 | +search: '`sysmon` EventCode=22 QueryName = "tinyurl.com" |
| 12 | + Image IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") |
| 13 | + | stats count min(_time) as firstTime max(_time) as lastTime |
| 14 | + by answer answer_count dvc process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName |
| 15 | + QueryResults QueryStatus |
| 16 | + | `security_content_ctime(firstTime)` |
| 17 | + | `security_content_ctime(lastTime)` |
| 18 | + | `windows_process_with_tinyurl_dns_query_filter`' |
| 19 | +how_to_implement: This detection relies on sysmon logs with the Event ID 22, DNS Query. |
| 20 | + We suggest you run this detection at least once a day over the last 14 days. |
| 21 | +known_false_positives: Noise and false positive can be seen if the following instant |
| 22 | + messaging is allowed to use within corporate network. In this case, a filter is |
| 23 | + needed. |
| 24 | +references: |
| 25 | +- https://x.com/Unit42_Intel/status/1919418143476199869 |
| 26 | +drilldown_searches: |
| 27 | +- name: View the detection results for - "$dest$" |
| 28 | + search: '%original_detection_search% | search dest = "$dest$"' |
| 29 | + earliest_offset: $info_min_time$ |
| 30 | + latest_offset: $info_max_time$ |
| 31 | +- name: View risk events for the last 7 days for - "$dest$" |
| 32 | + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") |
| 33 | + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime |
| 34 | + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) |
| 35 | + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) |
| 36 | + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` |
| 37 | + | `security_content_ctime(lastTime)`' |
| 38 | + earliest_offset: $info_min_time$ |
| 39 | + latest_offset: $info_max_time$ |
| 40 | +rba: |
| 41 | + message: Suspicious process $process_name$ made a DNS query for $QueryName$ on $dvc$ |
| 42 | + risk_objects: |
| 43 | + - field: dvc |
| 44 | + type: system |
| 45 | + score: 40 |
| 46 | + threat_objects: |
| 47 | + - field: process_name |
| 48 | + type: process_name |
| 49 | + |
| 50 | +tags: |
| 51 | + analytic_story: |
| 52 | + - Malicious Inno Setup Loader |
| 53 | + asset_type: Endpoint |
| 54 | + mitre_attack_id: |
| 55 | + - T1105 |
| 56 | + product: |
| 57 | + - Splunk Enterprise |
| 58 | + - Splunk Enterprise Security |
| 59 | + - Splunk Cloud |
| 60 | + security_domain: endpoint |
| 61 | +tests: |
| 62 | +- name: True Positive Test |
| 63 | + attack_data: |
| 64 | + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/tinyurl_dns_query/tinyurl.log |
| 65 | + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| 66 | + sourcetype: XmlWinEventLog |
0 commit comments