Detection rules › Splunk
Windows DNS Query Request To TinyUrl
The following analytic detects a process located in a potentially suspicious location making DNS queries to known URL shortening services, specifically tinyurl. URL shorteners are frequently used by threat actors to obfuscate malicious destinations, including phishing pages, malware distribution sites, or command-and-control (C2) endpoints. While tinyurl.com is a legitimate service, its use in enterprise environments—particularly by non-browser processes or scripts—should be considered suspicious, especially if correlated with subsequent outbound connections, file downloads, process file path or credential prompts. Analysts should investigate the source process, execution context, and destination domain to determine intent and risk.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1105 Ingress Tool Transfer |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: search
search EventCode=22 Image IN ("*\\AppData\\*", "*\\Perflogs\\*", "*\\ProgramData\\*", "*\\Temp\\*", "*\\Users\\Public\\*", "*\\Windows\\Tasks\\*") QueryName="tinyurl.com"
Stage 2: stats
stats BY answer, answer_count, dvc, process_exec, process_guid, process_name, query, query_count, reply_code_id, signature, signature_id, src, user_id, vendor_product, QueryName, QueryResults, QueryStatus
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Image | in |
|
QueryName | eq |
|