T1593.001 Social Media Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let OSINTTools = dynamic(["theHarvester", "recon-ng", "spiderfoot", "maltego", "sherlock", "social-mapper", "linkedin2username", "osrframework", "recondog"]);
let SocialMediaAPIs = dynamic(["api.linkedin.com", "api.twitter.com", "api.x.com", "graph.facebook.com", "api.instagram.com", "platform.twitter.com", "linkedin.com/voyager"]);
// Branch 1: Known OSINT tool execution targeting social media platforms
let OSINTToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (OSINTTools)
    or (FileName in~ ("python.exe", "python3", "python3.exe", "python3.11", "python3.12")
        and ProcessCommandLine has_any (OSINTTools))
    or ProcessCommandLine has_any ("-b linkedin", "-b twitter", "-b instagram", "--source linkedin",
        "--source twitter", "linkedin2username", "-b all")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionBranch = "OSINT_Tool_Execution";
// Branch 2: Non-browser processes making bulk calls to social media API endpoints
let BulkSocialAPIEnumeration = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (SocialMediaAPIs)
| where InitiatingProcessFileName !in~ ("msedge.exe", "chrome.exe", "firefox.exe",
        "brave.exe", "safari.exe", "opera.exe", "iexplore.exe", "chromium.exe")
| summarize RequestCount = count(),
           UniqueEndpoints = dcount(RemoteUrl),
           EndpointsSeen = make_set(RemoteUrl, 10),
           FirstSeen = min(Timestamp)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| where RequestCount > 20 or UniqueEndpoints > 3
| project Timestamp = FirstSeen, DeviceName, AccountName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessFileName,
          DetectionBranch = "Bulk_Social_API_Enumeration";
OSINTToolExecution
| union BulkSocialAPIEnumeration
| sort by Timestamp desc

medium severity low confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Command: Command Execution

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Authorized red team or penetration testing exercises conducting social media OSINT against the organization using the same tools
Threat intelligence analysts and security researchers running theHarvester, SpiderFoot, or recon-ng as part of their job duties
Marketing and HR teams using LinkedIn Recruiter, Sales Navigator, or social media management platforms (Hootsuite, Sprout Social) with desktop applications making bulk API calls
Security awareness training simulations that enumerate exposed employee information to demonstrate organizational risk
Legitimate business intelligence or CRM integrations (Salesforce LinkedIn Sales Navigator, HubSpot) with non-browser agents making frequent social media API requests

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine=lower(CommandLine), Image=lower(Image)
| eval IsOSINTTool=if(
    match(Image, "(theharvester|recon-ng|spiderfoot|maltego|sherlock|social.?mapper|linkedin2username|osrframework)") OR
    (match(Image, "python") AND
     match(CommandLine, "(theharvester|recon-ng|spiderfoot|sherlock|social.?mapper|linkedin2username|osrframework)")),
    1, 0)
| eval TargetsSocialMedia=if(
    match(CommandLine, "(-b\s+(linkedin|twitter|instagram|facebook|all)|--source\s+(linkedin|twitter)|linkedin\.com|twitter\.com|instagram\.com|facebook\.com)"),
    1, 0)
| eval HasDomainOrTargetFlag=if(
    match(CommandLine, "(-d\s+|--domain\s+|-t\s+|--target\s+)"),
    1, 0)
| eval HasOutputFlag=if(
    match(CommandLine, "(-f\s+|--filename\s+|-o\s+|--output\s+)"),
    1, 0)
| where IsOSINTTool=1 OR (TargetsSocialMedia=1 AND HasDomainOrTargetFlag=1)
| eval SuspicionScore=IsOSINTTool + TargetsSocialMedia + HasDomainOrTargetFlag + HasOutputFlag
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        IsOSINTTool, TargetsSocialMedia, HasDomainOrTargetFlag, HasOutputFlag, SuspicionScore
| sort - SuspicionScore, - _time

medium severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorized red team or penetration testing exercises running social media OSINT tools against the organization
Threat intelligence analysts and security researchers using OSINT tools as part of their job functions
Marketing and HR teams running social media management or recruiting tools with similar command-line patterns
Security awareness training simulations enumerating exposed employee information on social media
Bug bounty hunters conducting authorized reconnaissance as part of their engagement scope

Elastic Security (EQL)

eql

// T1593.001 — Social Media OSINT
process where process.name : ("python.exe", "python3", "python3.exe")
  and process.command_line : (
    "*theharvester*", "*recon-ng*", "*spiderfoot*", "*sherlock*",
    "*linkedin2username*", "*-b linkedin*", "*-b twitter*", "*-b all*"
  )

medium severity low confidence

Data Sources

Elastic Endpoint Security Sysmon (winlogbeat)

Required Tables

logs-endpoint.events.process-*

False Positives

Authorized red team or penetration testing exercises conducting social media OSINT against the organization using the same tools
Threat intelligence analysts and security researchers running theHarvester, SpiderFoot, or recon-ng as part of their job duties
Marketing and HR teams using LinkedIn Recruiter, Sales Navigator, or social media management platforms (Hootsuite, Sprout Social) with desktop applications making bulk API calls
Security awareness training simulations that enumerate exposed employee information to demonstrate organizational risk

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("CommandLine") ILIKE '%theharvester%' OR LOWER("CommandLine") ILIKE '%recon-ng%' OR LOWER("CommandLine") ILIKE '%linkedin2username%' OR LOWER("CommandLine") ILIKE '%spiderfoot%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("CommandLine") ILIKE '%theharvester%' OR LOWER("CommandLine") ILIKE '%recon-ng%' OR LOWER("CommandLine") ILIKE '%linkedin2username%' OR LOWER("CommandLine") ILIKE '%spiderfoot%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity low confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Authorized red team or penetration testing exercises conducting social media OSINT against the organization using the same tools
Threat intelligence analysts and security researchers running theHarvester, SpiderFoot, or recon-ng as part of their job duties
Marketing and HR teams using LinkedIn Recruiter, Sales Navigator, or social media management platforms (Hootsuite, Sprout Social) with desktop applications making bulk API calls
Security awareness training simulations that enumerate exposed employee information to demonstrate organizational risk

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| json auto
| where EventCode = 1
| where Image matches "*powershell*" or Image matches "*wmic*" or Image matches "*cmd*"
| count by host, User, Image, CommandLine
| sort by _count desc

medium severity low confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

windows/events security/sysmon

False Positives

Authorized red team or penetration testing exercises conducting social media OSINT against the organization using the same tools
Threat intelligence analysts and security researchers running theHarvester, SpiderFoot, or recon-ng as part of their job duties
Marketing and HR teams using LinkedIn Recruiter, Sales Navigator, or social media management platforms (Hootsuite, Sprout Social) with desktop applications making bulk API calls
Security awareness training simulations that enumerate exposed employee information to demonstrate organizational risk

Google Chronicle / SecOps

yaral

rule t1593_001_social_media {
  meta:
    author = "df00tech"
    description = "Detects Social Media (T1593.001)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1593.001"
    confidence = "low"
    severity = "medium"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""
  condition:
    $e
}

medium severity low confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

PROCESS_LAUNCH PROCESS_OPEN

False Positives

Authorized red team or penetration testing exercises conducting social media OSINT against the organization using the same tools
Threat intelligence analysts and security researchers running theHarvester, SpiderFoot, or recon-ng as part of their job duties
Marketing and HR teams using LinkedIn Recruiter, Sales Navigator, or social media management platforms (Hootsuite, Sprout Social) with desktop applications making bulk API calls
Security awareness training simulations that enumerate exposed employee information to demonstrate organizational risk

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /powershell\.exe|wmic\.exe|cmd\.exe/i
| CommandLine = /recon|enum|survey|harvest|osint/i
| case {
    CommandLine = /win32_bios|win32_baseboard|bios/i => TechniqueLabel := "T1593.001 - FirmwareEnum";
    CommandLine = /theharvester|recon-ng|spiderfoot/i => TechniqueLabel := "T1593.001 - OSINTTool";
    * => TechniqueLabel := "T1593.001 - Reconnaissance"
  }
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])

medium severity low confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

ProcessRollup2 ProcessRollup2

False Positives

Authorized red team or penetration testing exercises conducting social media OSINT against the organization using the same tools
Threat intelligence analysts and security researchers running theHarvester, SpiderFoot, or recon-ng as part of their job duties
Marketing and HR teams using LinkedIn Recruiter, Sales Navigator, or social media management platforms (Hootsuite, Sprout Social) with desktop applications making bulk API calls
Security awareness training simulations that enumerate exposed employee information to demonstrate organizational risk

Social Media

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections