T1593.001 Google Chronicle · YARA-L

Detect Social Media in Google Chronicle

Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff. Adversaries may search different social media sites depending on what information they seek to gather, and may passively harvest data from these sites as well as use gathered information to create fake profiles to elicit victims into revealing specific information. Groups such as Kimsuky have used Twitter to monitor potential victims and prepare targeted phishing emails, while Contagious Interview solicited victims through LinkedIn and Telegram, and EXOTIC LILY copied data from social media sites to impersonate targeted individuals.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1593 Search Open Websites/Domains
Sub-technique
T1593.001 Social Media
Canonical reference
https://attack.mitre.org/techniques/T1593/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1593_001_social_media {
  meta:
    author = "df00tech"
    description = "Detects Social Media (T1593.001)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1593.001"
    confidence = "low"
    severity = "medium"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""
  condition:
    $e
}
medium severity low confidence

Google Chronicle YARA-L 2.0 detection rule for Social Media (T1593.001). Uses Unified Data Model (UDM) event field mappings to detect the same behavioral patterns as the KQL rule, with Chronicle's temporal matching and entity correlation capabilities.

Data Sources

Google Chronicle SIEMChronicle UDM

Required Tables

PROCESS_LAUNCHPROCESS_OPEN

False Positives & Tuning

  • Authorized red team or penetration testing exercises conducting social media OSINT against the organization using the same tools
  • Threat intelligence analysts and security researchers running theHarvester, SpiderFoot, or recon-ng as part of their job duties
  • Marketing and HR teams using LinkedIn Recruiter, Sales Navigator, or social media management platforms (Hootsuite, Sprout Social) with desktop applications making bulk API calls
  • Security awareness training simulations that enumerate exposed employee information to demonstrate organizational risk
Download portable Sigma rule (.yml)

Other platforms for T1593.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Social Media OSINT with theHarvester targeting LinkedIn and Twitter

    Expected signal: Sysmon Event ID 1: Process Create with Image containing 'python3', CommandLine containing 'theHarvester', '-d example.com', '-b linkedin,twitter', '-f /tmp/harvest_output'. Sysmon Event ID 3: Network connections to linkedin.com, twitter.com, and social media API endpoints. Sysmon Event ID 11: File creation events at /tmp/harvest_output.xml and /tmp/harvest_output.json.

  2. Test 2LinkedIn Employee Enumeration via Python Requests

    Expected signal: Sysmon Event ID 1: Process Create with Image=python3, CommandLine containing 'linkedin.com', 'requests.get', and 'people'. Sysmon Event ID 3: Network Connection from python3 to linkedin.com on port 443. Sysmon Event ID 11: File creation at /tmp/linkedin_recon_output.txt.

  3. Test 3Twitter/X Employee and Mention Search via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'twitter.com', 'Invoke-WebRequest', 'employees'. Sysmon Event ID 3: Network Connection from powershell.exe to twitter.com on port 443. Sysmon Event ID 11: File creation at %TEMP%\twitter_recon_results.txt.

  4. Test 4SpiderFoot OSINT Social Media Module Scan

    Expected signal: Sysmon Event ID 1: Process Create with Image=python3, CommandLine containing 'spiderfoot', 'sfp_linkedin', 'sfp_twitter', '-s example.com'. Sysmon Event ID 3: Multiple network connections to LinkedIn and Twitter API endpoints. Sysmon Event ID 11: Output file creation at /tmp/spiderfoot_social_results.json.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1593.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1593Search Open Websites/Domains

Related Sub-techniques

T1593.002Search EnginesT1593.003Code Repositories

Related Techniques

T1593Search Open Websites/DomainsT1593.002Search EnginesT1598.001Spearphishing ServiceT1566.003Spearphishing via ServiceT1585.001Social Media AccountsT1586.001Social Media AccountsT1589.001CredentialsT1589.002Email AddressesT1589.003Employee NamesT1591.004Identify Roles

Same Tactic: Reconnaissance

Popular Detections