← Back to Explore
splunk_escuAnomaly
Windows Abused Web Services
The following analytic detects a suspicious process making DNS queries to known, abused web services such as text-paste sites, VoIP, secure tunneling, instant messaging, and digital distribution platforms. This detection leverages Sysmon logs with Event ID 22, focusing on specific query names. This activity is significant as it may indicate an adversary attempting to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host.
MITRE ATT&CK
Detection Query
`sysmon`
EventCode=22
QueryName IN (
"*//objects.githubusercontent.com*",
"*anonfiles.com*",
"*cdn.discordapp.com*",
"*ddns.net*",
"*dl.dropboxusercontent.com*",
"*duckdns.org*",
"*ghostbin.co*",
"*glitch.me*",
"*gofile.io*",
"*hastebin.com*",
"*mediafire.com*",
"*mega.nz*",
"*ngrok.io*",
"*onrender.com*",
"*pages.dev*",
"*paste.ee*",
"*pastebin.com*",
"*pastebin.pl*",
"*pasteio.com*",
"*pastetext.net*",
"*privatlab.com*",
"*privatlab.net*",
"*send.exploit.in*",
"*sendspace.com*",
"*storage.googleapis.com*",
"*storjshare.io*",
"*supabase.co*",
"*temp.sh*",
"*textbin*",
"*transfer.sh*",
"*trycloudflare.com*",
"*ufile.io*",
"*w3spaces.com*",
"*workers.dev*"
)
| eval answer=coalesce(answer,"none")
| eval answer_count=coalesce(answer_count,0)
| rename dvc as dest
| stats min(_time) as firstTime max(_time) as lastTime count
BY answer answer_count dest process_exec process_guid
process_name query query_count reply_code_id signature
signature_id src user_id vendor_product
QueryName QueryResults QueryStatus
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_abused_web_services_filter`Author
Teoderick Contreras, Splunk
Created
2026-03-16
Data Sources
Sysmon EventID 22
Tags
NjRATCISA AA24-241AMalicious Inno Setup LoaderBlankGrabber Stealer
Raw Content
name: Windows Abused Web Services
id: 01f0aef4-8591-4daa-a53d-0ed49823b681
version: 10
date: '2026-03-16'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
data_source:
- Sysmon EventID 22
description: The following analytic detects a suspicious process making DNS queries to known, abused web services such as text-paste sites, VoIP, secure tunneling, instant messaging, and digital distribution platforms. This detection leverages Sysmon logs with Event ID 22, focusing on specific query names. This activity is significant as it may indicate an adversary attempting to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host.
search: |-
`sysmon`
EventCode=22
QueryName IN (
"*//objects.githubusercontent.com*",
"*anonfiles.com*",
"*cdn.discordapp.com*",
"*ddns.net*",
"*dl.dropboxusercontent.com*",
"*duckdns.org*",
"*ghostbin.co*",
"*glitch.me*",
"*gofile.io*",
"*hastebin.com*",
"*mediafire.com*",
"*mega.nz*",
"*ngrok.io*",
"*onrender.com*",
"*pages.dev*",
"*paste.ee*",
"*pastebin.com*",
"*pastebin.pl*",
"*pasteio.com*",
"*pastetext.net*",
"*privatlab.com*",
"*privatlab.net*",
"*send.exploit.in*",
"*sendspace.com*",
"*storage.googleapis.com*",
"*storjshare.io*",
"*supabase.co*",
"*temp.sh*",
"*textbin*",
"*transfer.sh*",
"*trycloudflare.com*",
"*ufile.io*",
"*w3spaces.com*",
"*workers.dev*"
)
| eval answer=coalesce(answer,"none")
| eval answer_count=coalesce(answer_count,0)
| rename dvc as dest
| stats min(_time) as firstTime max(_time) as lastTime count
BY answer answer_count dest process_exec process_guid
process_name query query_count reply_code_id signature
signature_id src user_id vendor_product
QueryName QueryResults QueryStatus
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_abused_web_services_filter`
how_to_implement: This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days.
known_false_positives: Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.
references:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: A network connection on known abused web services [$QueryName$] from [$dest$]
risk_objects:
- field: dest
type: system
score: 20
threat_objects:
- field: process_name
type: process_name
tags:
analytic_story:
- NjRAT
- CISA AA24-241A
- Malicious Inno Setup Loader
- BlankGrabber Stealer
asset_type: Endpoint
mitre_attack_id:
- T1102
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1102/njrat_ngrok_connection/ngrok.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.004/upload_files_dns/upload_files.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog