Detection: Windows DNS Query Request To TinyUrl

Updated Date: 2025-06-02 ID: b1ea79da-719c-437c-acaf-5c93f838f425 Author: Teoderick Contreras, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic detects a process located in a potentially suspicious location making DNS queries to known URL shortening services, specifically tinyurl. URL shorteners are frequently used by threat actors to obfuscate malicious destinations, including phishing pages, malware distribution sites, or command-and-control (C2) endpoints. While tinyurl.com is a legitimate service, its use in enterprise environments—particularly by non-browser processes or scripts—should be considered suspicious, especially if correlated with subsequent outbound connections, file downloads, process file path or credential prompts. Analysts should investigate the source process, execution context, and destination domain to determine intent and risk.

 1`sysmon` 
 2EventCode=22 
 3QueryName = "tinyurl.com"
 4Image IN (
 5  "*\\AppData\\*",
 6  "*\\Perflogs\\*",
 7  "*\\ProgramData\\*",
 8  "*\\Temp\\*",
 9  "*\\Users\\Public\\*",
10  "*\\Windows\\Tasks\\*"
11  ) 
12
13| stats count min(_time) as firstTime max(_time) as lastTime 
14  by answer answer_count dvc process_exec process_guid process_name query query_count 
15     reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus 
16
17| `security_content_ctime(firstTime)` 
18
19| `security_content_ctime(lastTime)` 
20
21| `windows_dns_query_request_to_tinyurl_filter`

Data Source

Name Platform Sourcetype Source
Sysmon EventID 22 Windows icon Windows 'xmlwineventlog' 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
windows_dns_query_request_to_tinyurl_filter search *
windows_dns_query_request_to_tinyurl_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1105 Ingress Tool Transfer Command And Control
Command and Control
DE.AE
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Risk Event True
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days.

Known False Positives

Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

Suspicious process $process_name$ made a DNS query for $QueryName$ on $dvc$

Risk Object Risk Object Type Risk Score Threat Objects
dvc system 40 process_name

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog
Integration ✅ Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1