Detect Social Media in Splunk
Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff. Adversaries may search different social media sites depending on what information they seek to gather, and may passively harvest data from these sites as well as use gathered information to create fake profiles to elicit victims into revealing specific information. Groups such as Kimsuky have used Twitter to monitor potential victims and prepare targeted phishing emails, while Contagious Interview solicited victims through LinkedIn and Telegram, and EXOTIC LILY copied data from social media sites to impersonate targeted individuals.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1593 Search Open Websites/Domains
- Sub-technique
- T1593.001 Social Media
- Canonical reference
- https://attack.mitre.org/techniques/T1593/001/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine=lower(CommandLine), Image=lower(Image)
| eval IsOSINTTool=if(
match(Image, "(theharvester|recon-ng|spiderfoot|maltego|sherlock|social.?mapper|linkedin2username|osrframework)") OR
(match(Image, "python") AND
match(CommandLine, "(theharvester|recon-ng|spiderfoot|sherlock|social.?mapper|linkedin2username|osrframework)")),
1, 0)
| eval TargetsSocialMedia=if(
match(CommandLine, "(-b\s+(linkedin|twitter|instagram|facebook|all)|--source\s+(linkedin|twitter)|linkedin\.com|twitter\.com|instagram\.com|facebook\.com)"),
1, 0)
| eval HasDomainOrTargetFlag=if(
match(CommandLine, "(-d\s+|--domain\s+|-t\s+|--target\s+)"),
1, 0)
| eval HasOutputFlag=if(
match(CommandLine, "(-f\s+|--filename\s+|-o\s+|--output\s+)"),
1, 0)
| where IsOSINTTool=1 OR (TargetsSocialMedia=1 AND HasDomainOrTargetFlag=1)
| eval SuspicionScore=IsOSINTTool + TargetsSocialMedia + HasDomainOrTargetFlag + HasOutputFlag
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
IsOSINTTool, TargetsSocialMedia, HasDomainOrTargetFlag, HasOutputFlag, SuspicionScore
| sort - SuspicionScore, - _timeDetects execution of known social media OSINT and reconnaissance tools using Sysmon Event ID 1 (Process Creation). Evaluates process images and command lines against known tool names (theHarvester, recon-ng, SpiderFoot, Maltego, Sherlock, linkedin2username) including invocations through Python interpreters. Scores findings across four dimensions: OSINT tool identity, social media targeting flags (-b linkedin/twitter), domain or target specification flags (-d, -t), and output file flags (-f, -o). Higher suspicion scores indicate more complete reconnaissance workflows.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized red team or penetration testing exercises running social media OSINT tools against the organization
- Threat intelligence analysts and security researchers using OSINT tools as part of their job functions
- Marketing and HR teams running social media management or recruiting tools with similar command-line patterns
- Security awareness training simulations enumerating exposed employee information on social media
- Bug bounty hunters conducting authorized reconnaissance as part of their engagement scope
Other platforms for T1593.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Social Media OSINT with theHarvester targeting LinkedIn and Twitter
Expected signal: Sysmon Event ID 1: Process Create with Image containing 'python3', CommandLine containing 'theHarvester', '-d example.com', '-b linkedin,twitter', '-f /tmp/harvest_output'. Sysmon Event ID 3: Network connections to linkedin.com, twitter.com, and social media API endpoints. Sysmon Event ID 11: File creation events at /tmp/harvest_output.xml and /tmp/harvest_output.json.
- Test 2LinkedIn Employee Enumeration via Python Requests
Expected signal: Sysmon Event ID 1: Process Create with Image=python3, CommandLine containing 'linkedin.com', 'requests.get', and 'people'. Sysmon Event ID 3: Network Connection from python3 to linkedin.com on port 443. Sysmon Event ID 11: File creation at /tmp/linkedin_recon_output.txt.
- Test 3Twitter/X Employee and Mention Search via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'twitter.com', 'Invoke-WebRequest', 'employees'. Sysmon Event ID 3: Network Connection from powershell.exe to twitter.com on port 443. Sysmon Event ID 11: File creation at %TEMP%\twitter_recon_results.txt.
- Test 4SpiderFoot OSINT Social Media Module Scan
Expected signal: Sysmon Event ID 1: Process Create with Image=python3, CommandLine containing 'spiderfoot', 'sfp_linkedin', 'sfp_twitter', '-s example.com'. Sysmon Event ID 3: Multiple network connections to LinkedIn and Twitter API endpoints. Sysmon Event ID 11: Output file creation at /tmp/spiderfoot_social_results.json.
References (9)
- https://attack.mitre.org/techniques/T1593/001/
- https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
- https://blog.malwarebytes.com/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-spear-phishing-emails/
- https://blog.google/threat-analysis-group/exotic-lily-initial-access-broker-ties-wizard-spider/
- https://github.com/laramies/theHarvester
- https://github.com/smicallef/spiderfoot
- https://github.com/lanmaster53/recon-ng
- https://github.com/sherlock-project/sherlock
- https://www.canarytokens.org/generate
Unlock Pro Content
Get the full detection package for T1593.001 including response playbook, investigation guide, and atomic red team tests.