T1608.005 Link Target Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let UrlShortenerDomains = dynamic([
    "bit.ly", "tinyurl.com", "ow.ly", "is.gd", "buff.ly", "adf.ly",
    "cutt.ly", "rb.gy", "shorturl.at", "t.ly", "tiny.cc", "rebrand.ly"
]);
let SuspiciousPaaSDomains = dynamic([
    "appspot.com", "azurewebsites.net", "web.app", "firebaseapp.com",
    "netlify.app", "vercel.app", "pages.dev", "glitch.me", "replit.app",
    "workers.dev", "run.app"
]);
let IpfsGatewayDomains = dynamic([
    "ipfs.io", "cloudflare-ipfs.com", "gateway.pinata.cloud",
    "dweb.link", "cf-ipfs.com", "nftstorage.link"
]);
let CredentialHarvestKeywords = dynamic([
    "login", "signin", "sign-in", "auth", "verify", "secure",
    "account", "password", "credential", "confirm", "validate",
    "update", "webmail", "portal"
]);
// Branch 1: Delivered email containing suspicious link targets via Microsoft Defender for Office 365
EmailUrlInfo
| where TimeGenerated > ago(24h)
| extend ParsedHost = tostring(parse_url(Url).Host)
| extend ParsedPath = tostring(parse_url(Url)["Path"])
| where ParsedHost has_any (UrlShortenerDomains)
    or ParsedHost has_any (SuspiciousPaaSDomains)
    or ParsedHost has_any (IpfsGatewayDomains)
    or ParsedPath has "/ipfs/"
    or Url has "ipfs://"
| join kind=leftouter (
    EmailEvents
    | where TimeGenerated > ago(24h)
    | where DeliveryAction in ("Delivered", "DeliveredToJunk")
    | project NetworkMessageId, SenderFromAddress, SenderMailFromDomain,
              RecipientEmailAddress, Subject, DeliveryAction, ThreatNames,
              EmailDirection, LatestDeliveryLocation
) on NetworkMessageId
| where isnotempty(SenderFromAddress)
| extend LinkCategory = case(
    ParsedHost has_any (IpfsGatewayDomains) or ParsedPath has "/ipfs/" or Url has "ipfs://", "IPFS_Gateway",
    ParsedHost has_any (UrlShortenerDomains), "URLShortener",
    ParsedHost has_any (SuspiciousPaaSDomains), "SuspiciousPaaS",
    "Other"
)
| extend CredentialHarvestIndicator = Url has_any (CredentialHarvestKeywords)
| extend SuspicionScore = toint(CredentialHarvestIndicator)
    + iif(LinkCategory == "IPFS_Gateway", 2, 0)
    + iif(LinkCategory == "URLShortener", 1, 0)
    + iif(LinkCategory == "SuspiciousPaaS", 1, 0)
| project TimeGenerated, SenderFromAddress, SenderMailFromDomain,
         RecipientEmailAddress, Subject, Url, ParsedHost,
         LinkCategory, CredentialHarvestIndicator, SuspicionScore,
         DeliveryAction, ThreatNames, LatestDeliveryLocation
| sort by SuspicionScore desc, TimeGenerated desc

high severity medium confidence

Data Sources

Email: Email Message Network Traffic: Network Connection Creation Microsoft Defender for Office 365 — EmailUrlInfo Microsoft Defender for Office 365 — EmailEvents

Required Tables

EmailUrlInfo EmailEvents

False Positives

Legitimate marketing emails using URL shorteners (bit.ly, ow.ly) for campaign tracking — common in newsletters and vendor communications
Internal developer tools and previews legitimately hosted on Netlify, Vercel, or Azure App Services — especially from known SaaS vendors or IT teams
Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) that intentionally send simulated phishing links through URL shorteners
IPFS-hosted decentralized applications (dApps), NFT metadata, or legitimate Web3 projects linked in business communications
SaaS vendor onboarding emails with redirect links through PaaS infrastructure as part of legitimate SSO flows

Splunk

spl

index=email OR index=proxy OR index=web
    (sourcetype="o365:management:activity" OR sourcetype="ms:o365:defender" OR sourcetype="proxy" OR sourcetype="stream:http" OR sourcetype="bluecoat:proxysg:accesslog" OR sourcetype="zscaler:proxy")
| eval raw_url=coalesce('Url', 'url', 'cs-uri-stem', 'request_url', 'URI')
| eval raw_url_lower=lower(raw_url)
| eval IsUrlShortener=if(match(raw_url_lower,
    "(bit\.ly/|tinyurl\.com/|ow\.ly/|is\.gd/|buff\.ly/|adf\.ly/|cutt\.ly/|rb\.gy/|t\.ly/|tiny\.cc/|rebrand\.ly/)"),
    1, 0)
| eval IsIPFS=if(match(raw_url_lower,
    "(ipfs\.io/ipfs/|cloudflare-ipfs\.com/ipfs/|gateway\.pinata\.cloud/ipfs/|dweb\.link/ipfs/|cf-ipfs\.com/ipfs/|nftstorage\.link/ipfs/|ipfs://)"),
    1, 0)
| eval IsSuspiciousPaaS=if(match(raw_url_lower,
    "(\.appspot\.com|\.azurewebsites\.net|\.web\.app|\.firebaseapp\.com|\.netlify\.app|\.vercel\.app|\.pages\.dev|\.glitch\.me|\.replit\.app|\.workers\.dev|\.run\.app)"),
    1, 0)
| eval HasCredentialKeyword=if(match(raw_url_lower,
    "(login|signin|sign-in|/auth|/verify|/secure|/account|password|credential|/confirm|/validate|webmail|/portal)"),
    1, 0)
| eval SuspicionScore=IsUrlShortener + (IsIPFS * 2) + IsSuspiciousPaaS + HasCredentialKeyword
| where SuspicionScore > 0
| eval LinkCategory=case(
    IsIPFS=1, "IPFS_Gateway",
    IsUrlShortener=1, "URLShortener",
    IsSuspiciousPaaS=1, "SuspiciousPaaS",
    true(), "Other"
)
| eval source_user=coalesce('RecipientEmailAddress', 'SenderFromAddress', 'user', 'src_user', 'cs-username')
| eval source_host=coalesce('host', 'src', 'ClientIP', 'c-ip')
| table _time, source_host, source_user, raw_url, LinkCategory,
        IsUrlShortener, IsIPFS, IsSuspiciousPaaS, HasCredentialKeyword, SuspicionScore
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Email: Email Message Network Traffic: Network Connection Creation Web Proxy Logs Office 365 Activity Logs

Required Sourcetypes

o365:management:activity proxy stream:http

False Positives

Legitimate marketing and newsletter emails using URL shorteners for click tracking — common from CRM platforms (HubSpot, Mailchimp, Salesforce)
Development and staging environments legitimately hosted on Vercel, Netlify, Cloudflare Pages — especially in software/tech organizations
Phishing simulation platforms (KnowBe4, Cofense, Proofpoint Security Awareness) generating intentional phishing links through URL shorteners or custom domains
Web3 and blockchain-related businesses routinely hosting content on IPFS and linking to IPFS gateways in communications
SaaS vendor activation and onboarding emails routing through PaaS redirect URLs as part of OAuth and SSO flows

Elastic Security (EQL)

eql

any where process.name : ("curl", "wget", "powershell.exe", "certutil.exe", "bitsadmin.exe") and (process.command_line : ("*.bin", "*.exe", "*.dll", "*.ps1", "*.bat", "*.vbs", "*.hta") or network.direction : "egress" and destination.port in (80, 443) and process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe"))

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent Network Events

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.file-*

False Positives

Legitimate marketing emails using URL shorteners (bit.ly, ow.ly) for campaign tracking — common in newsletters and vendor communications
Internal developer tools and previews legitimately hosted on Netlify, Vercel, or Azure App Services — especially from known SaaS vendors or IT teams
Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) that intentionally send simulated phishing links through URL shorteners
IPFS-hosted decentralized applications (dApps), NFT metadata, or legitimate Web3 projects linked in business communications
SaaS vendor onboarding emails with redirect links through PaaS infrastructure as part of legitimate SSO flows

IBM QRadar (AQL)

sql

SELECT sourceip as "SourceIP", destinationip as "DestinationIP", UTF8(payload) as "URL", username as "Username", devicetime as "EventTime", CASE WHEN UTF8(payload) ILIKE '%.exe%' OR UTF8(payload) ILIKE '%.dll%' OR UTF8(payload) ILIKE '%.bin%' THEN 80 WHEN UTF8(payload) ILIKE '%paste%' OR UTF8(payload) ILIKE '%transfer.sh%' OR UTF8(payload) ILIKE '%gofile%' THEN 75 WHEN UTF8(payload) ILIKE '%certutil%' OR UTF8(payload) ILIKE '%bitsadmin%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Proxy', 'Windows', 'Zscaler Internet Access') AND (eventid = 4688 OR destinationport IN (80, 443)) ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Security Event Log Proxy Zscaler Internet Access

Required Tables

events

False Positives

Legitimate marketing emails using URL shorteners (bit.ly, ow.ly) for campaign tracking — common in newsletters and vendor communications
Internal developer tools and previews legitimately hosted on Netlify, Vercel, or Azure App Services — especially from known SaaS vendors or IT teams
Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) that intentionally send simulated phishing links through URL shorteners
IPFS-hosted decentralized applications (dApps), NFT metadata, or legitimate Web3 projects linked in business communications
SaaS vendor onboarding emails with redirect links through PaaS infrastructure as part of legitimate SSO flows

Sumo Logic CSE

sql

_sourceCategory=endpoint/windows OR _sourceCategory=proxy/access | json auto | where (process_name in ("curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "powershell.exe") and (command_line matches "*.exe" or command_line matches "*.dll" or command_line matches "*.bin")) or (url matches "*transfer.sh*" or url matches "*paste.ee*" or url matches "*gofile.io*") | if(matches(process_name, "*certutil*") and matches(command_line, "*urlcache*"), "High", if(matches(url, "*transfer.sh*") or matches(url, "*gofile.io*"), "High", "Medium")) as RiskLevel | count by src_ip, process_name, RiskLevel | sort by count desc

high severity medium confidence

Data Sources

Windows Endpoint Events Proxy Access Logs

Required Tables

endpoint/windows proxy/access

False Positives

Legitimate marketing emails using URL shorteners (bit.ly, ow.ly) for campaign tracking — common in newsletters and vendor communications
Internal developer tools and previews legitimately hosted on Netlify, Vercel, or Azure App Services — especially from known SaaS vendors or IT teams
Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) that intentionally send simulated phishing links through URL shorteners
IPFS-hosted decentralized applications (dApps), NFT metadata, or legitimate Web3 projects linked in business communications
SaaS vendor onboarding emails with redirect links through PaaS infrastructure as part of legitimate SSO flows

Google Chronicle / SecOps

yaral

rule detect_stage_capabilities {
  meta:
    author = "Argus"
    description = "Detects staging of capabilities from external infrastructure"
    severity = "HIGH"
    technique = "T1608"
  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    (
      re.regex($e.target.url, `\.(exe|dll|bin|ps1|bat|vbs|hta|sh|elf)($|\?)`) nocase or
      re.regex($e.target.hostname, `transfer\.sh|paste\.ee|gofile\.io|anonfiles|temp\.sh`) nocase
    )
    $e.principal.process.file.full_path != ""
  condition:
    $e
}

high severity medium confidence

Data Sources

Endpoint Telemetry Web Proxy Google Workspace

Required Tables

NETWORK_HTTP PROCESS_LAUNCH FILE_CREATION

False Positives

Legitimate marketing emails using URL shorteners (bit.ly, ow.ly) for campaign tracking — common in newsletters and vendor communications
Internal developer tools and previews legitimately hosted on Netlify, Vercel, or Azure App Services — especially from known SaaS vendors or IT teams
Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) that intentionally send simulated phishing links through URL shorteners
IPFS-hosted decentralized applications (dApps), NFT metadata, or legitimate Web3 projects linked in business communications
SaaS vendor onboarding emails with redirect links through PaaS infrastructure as part of legitimate SSO flows

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /certutil|bitsadmin|curl|wget/i
| CommandHistory = /urlcache|transfer|download|http/i
| case {
    CommandHistory = /\.exe|\.dll|\.bin/i | FileType := "Executable";
    CommandHistory = /\.ps1|\.bat|\.vbs/i | FileType := "Script";
    * | FileType := "Other"
  }
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, FileType])

high severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor) NetworkConnectIP4 (Falcon sensor)

Required Tables

ProcessRollup2 NetworkConnectIP4 DetectionSummaryEvent

False Positives

Legitimate marketing emails using URL shorteners (bit.ly, ow.ly) for campaign tracking — common in newsletters and vendor communications
Internal developer tools and previews legitimately hosted on Netlify, Vercel, or Azure App Services — especially from known SaaS vendors or IT teams
Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) that intentionally send simulated phishing links through URL shorteners
IPFS-hosted decentralized applications (dApps), NFT metadata, or legitimate Web3 projects linked in business communications
SaaS vendor onboarding emails with redirect links through PaaS infrastructure as part of legitimate SSO flows

Link Target

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections