Detect Social Media in Microsoft Sentinel
Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff. Adversaries may search different social media sites depending on what information they seek to gather, and may passively harvest data from these sites as well as use gathered information to create fake profiles to elicit victims into revealing specific information. Groups such as Kimsuky have used Twitter to monitor potential victims and prepare targeted phishing emails, while Contagious Interview solicited victims through LinkedIn and Telegram, and EXOTIC LILY copied data from social media sites to impersonate targeted individuals.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1593 Search Open Websites/Domains
- Sub-technique
- T1593.001 Social Media
- Canonical reference
- https://attack.mitre.org/techniques/T1593/001/
KQL Detection Query
let OSINTTools = dynamic(["theHarvester", "recon-ng", "spiderfoot", "maltego", "sherlock", "social-mapper", "linkedin2username", "osrframework", "recondog"]);
let SocialMediaAPIs = dynamic(["api.linkedin.com", "api.twitter.com", "api.x.com", "graph.facebook.com", "api.instagram.com", "platform.twitter.com", "linkedin.com/voyager"]);
// Branch 1: Known OSINT tool execution targeting social media platforms
let OSINTToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (OSINTTools)
or (FileName in~ ("python.exe", "python3", "python3.exe", "python3.11", "python3.12")
and ProcessCommandLine has_any (OSINTTools))
or ProcessCommandLine has_any ("-b linkedin", "-b twitter", "-b instagram", "--source linkedin",
"--source twitter", "linkedin2username", "-b all")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionBranch = "OSINT_Tool_Execution";
// Branch 2: Non-browser processes making bulk calls to social media API endpoints
let BulkSocialAPIEnumeration = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (SocialMediaAPIs)
| where InitiatingProcessFileName !in~ ("msedge.exe", "chrome.exe", "firefox.exe",
"brave.exe", "safari.exe", "opera.exe", "iexplore.exe", "chromium.exe")
| summarize RequestCount = count(),
UniqueEndpoints = dcount(RemoteUrl),
EndpointsSeen = make_set(RemoteUrl, 10),
FirstSeen = min(Timestamp)
by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| where RequestCount > 20 or UniqueEndpoints > 3
| project Timestamp = FirstSeen, DeviceName, AccountName,
ProcessCommandLine = InitiatingProcessCommandLine,
InitiatingProcessFileName,
DetectionBranch = "Bulk_Social_API_Enumeration";
OSINTToolExecution
| union BulkSocialAPIEnumeration
| sort by Timestamp descDetects social media reconnaissance activity through two complementary approaches. Branch 1 identifies execution of known OSINT tools (theHarvester, recon-ng, SpiderFoot, Maltego, Sherlock, linkedin2username) on monitored endpoints, including invocation through Python interpreters with social media source flags (-b linkedin, -b twitter). Branch 2 detects non-browser processes making bulk API calls to social media endpoints (LinkedIn, Twitter/X, Facebook, Instagram APIs) via DeviceNetworkEvents, which indicates scripted rather than interactive browsing. Since T1593.001 is a PRE-attack technique that primarily occurs outside the victim environment, confidence is low — this query catches adversaries operating from within the network perimeter or on compromised endpoints conducting reconnaissance.
Data Sources
Required Tables
False Positives & Tuning
- Authorized red team or penetration testing exercises conducting social media OSINT against the organization using the same tools
- Threat intelligence analysts and security researchers running theHarvester, SpiderFoot, or recon-ng as part of their job duties
- Marketing and HR teams using LinkedIn Recruiter, Sales Navigator, or social media management platforms (Hootsuite, Sprout Social) with desktop applications making bulk API calls
- Security awareness training simulations that enumerate exposed employee information to demonstrate organizational risk
- Legitimate business intelligence or CRM integrations (Salesforce LinkedIn Sales Navigator, HubSpot) with non-browser agents making frequent social media API requests
Other platforms for T1593.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Social Media OSINT with theHarvester targeting LinkedIn and Twitter
Expected signal: Sysmon Event ID 1: Process Create with Image containing 'python3', CommandLine containing 'theHarvester', '-d example.com', '-b linkedin,twitter', '-f /tmp/harvest_output'. Sysmon Event ID 3: Network connections to linkedin.com, twitter.com, and social media API endpoints. Sysmon Event ID 11: File creation events at /tmp/harvest_output.xml and /tmp/harvest_output.json.
- Test 2LinkedIn Employee Enumeration via Python Requests
Expected signal: Sysmon Event ID 1: Process Create with Image=python3, CommandLine containing 'linkedin.com', 'requests.get', and 'people'. Sysmon Event ID 3: Network Connection from python3 to linkedin.com on port 443. Sysmon Event ID 11: File creation at /tmp/linkedin_recon_output.txt.
- Test 3Twitter/X Employee and Mention Search via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'twitter.com', 'Invoke-WebRequest', 'employees'. Sysmon Event ID 3: Network Connection from powershell.exe to twitter.com on port 443. Sysmon Event ID 11: File creation at %TEMP%\twitter_recon_results.txt.
- Test 4SpiderFoot OSINT Social Media Module Scan
Expected signal: Sysmon Event ID 1: Process Create with Image=python3, CommandLine containing 'spiderfoot', 'sfp_linkedin', 'sfp_twitter', '-s example.com'. Sysmon Event ID 3: Multiple network connections to LinkedIn and Twitter API endpoints. Sysmon Event ID 11: Output file creation at /tmp/spiderfoot_social_results.json.
References (9)
- https://attack.mitre.org/techniques/T1593/001/
- https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
- https://blog.malwarebytes.com/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-spear-phishing-emails/
- https://blog.google/threat-analysis-group/exotic-lily-initial-access-broker-ties-wizard-spider/
- https://github.com/laramies/theHarvester
- https://github.com/smicallef/spiderfoot
- https://github.com/lanmaster53/recon-ng
- https://github.com/sherlock-project/sherlock
- https://www.canarytokens.org/generate
Unlock Pro Content
Get the full detection package for T1593.001 including response playbook, investigation guide, and atomic red team tests.