T1596 Splunk · SPL

Detect Search Open Technical Databases in Splunk

This detection identifies potential adversary reconnaissance activity involving queries to open technical databases such as Shodan, Censys, Certificate Transparency logs, passive DNS repositories, WHOIS services, and CDN enumeration tools. Because T1596 is a PRE-ATT&CK technique executed outside the victim network, direct detection is not possible. Instead, this rule focuses on second-order indicators: internal endpoints or service accounts making scripted bulk queries to known OSINT aggregator domains, automated certificate transparency monitoring tools being abused, and unusual DNS resolution patterns targeting passive DNS APIs. Detection of these behaviors may indicate an insider threat, a compromised endpoint conducting pre-pivot reconnaissance, or red team activity. Confidence is set to low due to high false positive potential from legitimate security research and threat intelligence workflows.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1596 Search Open Technical Databases
Canonical reference
https://attack.mitre.org/techniques/T1596/

SPL Detection Query

Splunk (SPL)
spl 
index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="stream:http" OR sourcetype="pan:traffic" OR sourcetype="cisco:asa")
| eval osint_hit=case(
    match(dest_host, "shodan\.io|censys\.io|dnsdumpster\.com|securitytrails\.com|spyse\.com|zoomeye\.org|fofa\.so|binaryedge\.io|onyphe\.io|hunter\.io|intelx\.io|passivedns\.circl\.lu|crt\.sh|certspotter\.com|urlscan\.io|viewdns\.info|hackertarget\.com|domaintools\.com|whoisxmlapi\.com|robtex\.com"), 1,
    true(), 0
)
| where osint_hit=1
| eval suspicious_process=case(
    match(process, "curl\.exe|wget\.exe|python\.exe|python3\.exe|py\.exe|powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe"), 1,
    match(CommandLine, "apikey|api_key|api-key|shodan|censys"), 1,
    true(), 0
)
| stats
    count as request_count,
    dc(dest_host) as unique_osint_domains,
    values(dest_host) as queried_domains,
    values(process) as processes_used,
    values(CommandLine) as command_lines,
    min(_time) as first_seen,
    max(_time) as last_seen
    by src_ip, user, host
| where request_count >= 5 OR unique_osint_domains >= 2
| eval risk_score=case(
    unique_osint_domains >= 5, 90,
    unique_osint_domains >= 3, 70,
    request_count >= 20, 60,
    true(), 40
)
| eval alert="Possible open technical database reconnaissance from corporate endpoint"
| table first_seen, last_seen, host, user, src_ip, request_count, unique_osint_domains, queried_domains, processes_used, risk_score, alert
| sort - risk_score
medium severity low confidence

Detects network connections or HTTP requests from corporate endpoints to known open technical database and OSINT aggregator services. Uses HTTP proxy, firewall, or Sysmon DNS/network logs to identify scripted enumeration of services like Shodan, Censys, crt.sh, SecurityTrails, and passive DNS providers. Aggregates by source IP and user to surface bulk automated queries.

Data Sources

Web ProxyFirewall LogsSysmon

Required Sourcetypes

stream:httppan:trafficXmlWinEventLog:Microsoft-Windows-Sysmon/Operationalcisco:asa

False Positives & Tuning

  • Security operations teams running daily exposure monitoring scripts against Shodan or Censys APIs on behalf of the organization
  • Threat intelligence platforms making automated API calls to OSINT services as part of enrichment pipelines
  • Penetration testers or red team members querying open databases during authorized engagements
  • Certificate management tools (e.g., cert-manager, Certbot automation) querying crt.sh for certificate transparency monitoring
  • IT helpdesk or network teams performing WHOIS or DNS lookups via domaintools or hackertarget during troubleshooting
Download portable Sigma rule (.yml)

Other platforms for T1596

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Shodan CLI Reconnaissance of Organization IP Range

    Expected signal: Sysmon EventCode 3 (Network Connection) to api.shodan.io:443 from python process; Sysmon EventCode 22 (DNS Query) for api.shodan.io; DeviceNetworkEvents showing ConnectionSuccess to shodan.io from python.exe or python3.exe

  2. Test 2Certificate Transparency Bulk Query via crt.sh API

    Expected signal: Sysmon EventCode 1 (Process Create) for powershell.exe with Invoke-RestMethod in CommandLine; Sysmon EventCode 3 (Network Connection) to crt.sh:443; Windows Security EventCode 4688 (Process Creation) if Sysmon not available; DeviceNetworkEvents showing connection to crt.sh from powershell.exe

  3. Test 3Multi-Source OSINT Enumeration Script

    Expected signal: Sysmon EventCode 3 (Network Connection) entries for hackertarget.com and viewdns.info from bash/curl; Sysmon EventCode 22 (DNS Query) for api.hackertarget.com, api.viewdns.info; proxy logs showing sequential requests to multiple OSINT domains within short time window

Last updated: 2026-03-19 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1596 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (5)

Related Techniques

T1592Gather Victim Host InformationT1593Search Open Websites/DomainsT1594Search Victim-Owned WebsitesT1596.001DNS/Passive DNST1596.002WHOIST1596.003Digital CertificatesT1596.004CDNsT1596.005Scan DatabasesT1583Acquire InfrastructureT1598Phishing for InformationT1133External Remote ServicesT1590.002DNS

Same Tactic: Reconnaissance

Popular Detections