T1596 Search Open Technical Databases Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let OSINTDomains = dynamic([
    "shodan.io", "api.shodan.io",
    "censys.io", "search.censys.io",
    "dnsdumpster.com",
    "securitytrails.com", "api.securitytrails.com",
    "spyse.com",
    "zoomeye.org",
    "fofa.so", "fofa.info",
    "binaryedge.io", "api.binaryedge.io",
    "onyphe.io",
    "hunter.io",
    "intelx.io",
    "passivedns.circl.lu",
    "riddler.io",
    "robtex.com",
    "hackertarget.com",
    "whoisxmlapi.com",
    "domaintools.com",
    "crt.sh",
    "certspotter.com",
    "urlscan.io",
    "viewdns.info",
    "threatcrowd.org"
]);
let SuspiciousProcesses = dynamic([
    "curl.exe", "wget.exe",
    "python.exe", "python3.exe", "py.exe",
    "powershell.exe", "pwsh.exe",
    "cmd.exe", "wscript.exe", "cscript.exe"
]);
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where ActionType == "ConnectionSuccess" or ActionType == "HttpConnectionInspected"
| where RemoteUrl has_any (OSINTDomains)
    or RemoteIPType != "Private" and RemotePort in (443, 80)
        and (RemoteUrl contains "shodan" or RemoteUrl contains "censys" or RemoteUrl contains "crt.sh")
| where InitiatingProcessFileName in~ (SuspiciousProcesses)
    or InitiatingProcessCommandLine has_any ("/api/", "apikey", "api_key", "--key", "-H 'API")
| summarize
    RequestCount = count(),
    UniqueOSINTDomains = dcount(RemoteUrl),
    QueriedDomains = make_set(RemoteUrl, 20),
    ProcessesUsed = make_set(InitiatingProcessFileName, 5),
    CommandLines = make_set(InitiatingProcessCommandLine, 5),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by DeviceName, InitiatingProcessAccountName, InitiatingProcessAccountDomain
| where RequestCount >= 5 or UniqueOSINTDomains >= 2
| extend
    RiskScore = case(
        UniqueOSINTDomains >= 5, 90,
        UniqueOSINTDomains >= 3, 70,
        RequestCount >= 20, 60,
        40
    ),
    Alert = "Possible open technical database reconnaissance from corporate endpoint"
| project
    FirstSeen, LastSeen, DeviceName,
    InitiatingProcessAccountName, InitiatingProcessAccountDomain,
    RequestCount, UniqueOSINTDomains, QueriedDomains,
    ProcessesUsed, CommandLines, RiskScore, Alert
| order by RiskScore desc

medium severity low confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Security analysts and threat intelligence teams performing legitimate asset discovery or exposure monitoring using these same OSINT tools
Red team or penetration testing engagements querying Shodan/Censys to validate external attack surface
Automated vulnerability management platforms (e.g., Tenable.io, Rapid7) that query third-party databases as part of external exposure scanning
DevSecOps pipelines using crt.sh or SecurityTrails APIs for certificate transparency monitoring in CI/CD
IT asset management tools that periodically validate domain and certificate configurations via WHOIS or passive DNS APIs

Splunk

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="stream:http" OR sourcetype="pan:traffic" OR sourcetype="cisco:asa")
| eval osint_hit=case(
    match(dest_host, "shodan\.io|censys\.io|dnsdumpster\.com|securitytrails\.com|spyse\.com|zoomeye\.org|fofa\.so|binaryedge\.io|onyphe\.io|hunter\.io|intelx\.io|passivedns\.circl\.lu|crt\.sh|certspotter\.com|urlscan\.io|viewdns\.info|hackertarget\.com|domaintools\.com|whoisxmlapi\.com|robtex\.com"), 1,
    true(), 0
)
| where osint_hit=1
| eval suspicious_process=case(
    match(process, "curl\.exe|wget\.exe|python\.exe|python3\.exe|py\.exe|powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe"), 1,
    match(CommandLine, "apikey|api_key|api-key|shodan|censys"), 1,
    true(), 0
)
| stats
    count as request_count,
    dc(dest_host) as unique_osint_domains,
    values(dest_host) as queried_domains,
    values(process) as processes_used,
    values(CommandLine) as command_lines,
    min(_time) as first_seen,
    max(_time) as last_seen
    by src_ip, user, host
| where request_count >= 5 OR unique_osint_domains >= 2
| eval risk_score=case(
    unique_osint_domains >= 5, 90,
    unique_osint_domains >= 3, 70,
    request_count >= 20, 60,
    true(), 40
)
| eval alert="Possible open technical database reconnaissance from corporate endpoint"
| table first_seen, last_seen, host, user, src_ip, request_count, unique_osint_domains, queried_domains, processes_used, risk_score, alert
| sort - risk_score

medium severity low confidence

Data Sources

Web Proxy Firewall Logs Sysmon

Required Sourcetypes

stream:http pan:traffic XmlWinEventLog:Microsoft-Windows-Sysmon/Operational cisco:asa

False Positives

Security operations teams running daily exposure monitoring scripts against Shodan or Censys APIs on behalf of the organization
Threat intelligence platforms making automated API calls to OSINT services as part of enrichment pipelines
Penetration testers or red team members querying open databases during authorized engagements
Certificate management tools (e.g., cert-manager, Certbot automation) querying crt.sh for certificate transparency monitoring
IT helpdesk or network teams performing WHOIS or DNS lookups via domaintools or hackertarget during troubleshooting

Elastic Security (EQL)

eql

// T1596 — Search Open Technical Databases
process where process.name : ("curl", "curl.exe", "python3", "python.exe")
  and process.command_line : (
    "*shodan*", "*censys*", "*fofa*", "*zoomeye*",
    "*dnsdumpster*", "*securitytrails*", "*spyse*"
  )

medium severity low confidence

Data Sources

Elastic Endpoint Security Sysmon (winlogbeat)

Required Tables

logs-endpoint.events.process-*

False Positives

Security analysts and threat intelligence teams performing legitimate asset discovery or exposure monitoring using these same OSINT tools
Red team or penetration testing engagements querying Shodan/Censys to validate external attack surface
Automated vulnerability management platforms (e.g., Tenable.io, Rapid7) that query third-party databases as part of external exposure scanning
DevSecOps pipelines using crt.sh or SecurityTrails APIs for certificate transparency monitoring in CI/CD

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("requesturl") ILIKE '%shodan.io%' OR LOWER("requesturl") ILIKE '%censys.io%' OR LOWER("requesturl") ILIKE '%fofa.info%' OR LOWER("requesturl") ILIKE '%dnsdumpster%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("requesturl") ILIKE '%shodan.io%' OR LOWER("requesturl") ILIKE '%censys.io%' OR LOWER("requesturl") ILIKE '%fofa.info%' OR LOWER("requesturl") ILIKE '%dnsdumpster%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity low confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Security analysts and threat intelligence teams performing legitimate asset discovery or exposure monitoring using these same OSINT tools
Red team or penetration testing engagements querying Shodan/Censys to validate external attack surface
Automated vulnerability management platforms (e.g., Tenable.io, Rapid7) that query third-party databases as part of external exposure scanning
DevSecOps pipelines using crt.sh or SecurityTrails APIs for certificate transparency monitoring in CI/CD

Sumo Logic CSE

sql

_sourceCategory=*firewall* OR _sourceCategory=*network*
| json auto
| where !(src_ip matches "10.*") and !(src_ip matches "192.168.*")
| count by src_ip, dest_ip, dest_port
| sort by _count desc

medium severity low confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

network/firewall security/network

False Positives

Security analysts and threat intelligence teams performing legitimate asset discovery or exposure monitoring using these same OSINT tools
Red team or penetration testing engagements querying Shodan/Censys to validate external attack surface
Automated vulnerability management platforms (e.g., Tenable.io, Rapid7) that query third-party databases as part of external exposure scanning
DevSecOps pipelines using crt.sh or SecurityTrails APIs for certificate transparency monitoring in CI/CD

Google Chronicle / SecOps

yaral

rule t1596_search_open_technical_database {
  meta:
    author = "df00tech"
    description = "Detects Search Open Technical Databases (T1596)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1596"
    confidence = "low"
    severity = "medium"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""
  condition:
    $e
}

medium severity low confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

NETWORK_CONNECTION NETWORK_FLOW

False Positives

Security analysts and threat intelligence teams performing legitimate asset discovery or exposure monitoring using these same OSINT tools
Red team or penetration testing engagements querying Shodan/Censys to validate external attack surface
Automated vulnerability management platforms (e.g., Tenable.io, Rapid7) that query third-party databases as part of external exposure scanning
DevSecOps pipelines using crt.sh or SecurityTrails APIs for certificate transparency monitoring in CI/CD

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ["NetworkConnectIP4", "NetworkConnectIP6"]
| not RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| groupBy([RemoteAddressIP4], function=count(as=TotalConns))
| TotalConns > 100
| TechniqueLabel := "T1596 - Reconnaissance"
| table([@timestamp, RemoteAddressIP4, TotalConns, TechniqueLabel])

medium severity low confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

ProcessRollup2 ProcessRollup2

False Positives

Security analysts and threat intelligence teams performing legitimate asset discovery or exposure monitoring using these same OSINT tools
Red team or penetration testing engagements querying Shodan/Censys to validate external attack surface
Automated vulnerability management platforms (e.g., Tenable.io, Rapid7) that query third-party databases as part of external exposure scanning
DevSecOps pipelines using crt.sh or SecurityTrails APIs for certificate transparency monitoring in CI/CD

Search Open Technical Databases

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (5)

Same Tactic: Reconnaissance

Popular Detections