T1597

Search Closed Sources

Reconnaissance Last updated:

This detection identifies potential adversary reconnaissance activity involving closed or paid data sources, including commercial threat intelligence vendors, dark web markets, and business intelligence databases. Since T1597 activity primarily occurs outside victim networks, direct detection is limited to second-order indicators: corporate endpoints accessing known data broker or OSINT aggregator platforms (potential insider threat or attacker using compromised access), network egress to dark web proxy services, and external threat intelligence alerting on organizational data appearing in closed criminal marketplaces. Detection confidence is low due to the pre-network nature of this technique, but behavioral patterns such as bulk querying of business intelligence APIs (RocketReach, ZoomInfo, CrunchBase) from non-business-role accounts, or Tor/I2P connectivity from corporate assets, can indicate reconnaissance or insider data harvesting activity.

What is T1597 Search Closed Sources?

Search Closed Sources (T1597) maps to the Reconnaissance tactic — the adversary is trying to gather information they can use to plan future operations in MITRE ATT&CK.

This page provides production-ready detection logic for Search Closed Sources, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint. The queries below are rated medium severity at low confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1597 Search Closed Sources
Canonical reference
https://attack.mitre.org/techniques/T1597/
Microsoft Sentinel / Defender
kusto 
let DataBrokerDomains = dynamic([
    "rocketreach.co", "zoominfo.com", "crunchbase.com", "hoovers.com",
    "dun.com", "dnb.com", "spokeo.com", "intelius.com", "pipl.com",
    "beenverified.com", "whitepages.com", "clearbit.com", "hunter.io",
    "fullcontact.com", "datanyze.com", "apollo.io", "lusha.com",
    "seamless.ai", "slintel.com", "demandbase.com"
]);
let TorRelayIndicators = dynamic([
    "torproject.org", "tor2web.org", "onion.to", "onion.link",
    "darkfail.net", "dark.fail"
]);
let ObservedWindow = 24h;
DeviceNetworkEvents
| where Timestamp > ago(ObservedWindow)
| where ActionType in ("ConnectionSuccess", "InboundConnectionAccepted", "HttpConnectionInspected")
| where RemoteUrl has_any (DataBrokerDomains) or RemoteUrl has_any (TorRelayIndicators)
| extend DomainCategory = case(
    RemoteUrl has_any (TorRelayIndicators), "TorOrDarkWebProxy",
    RemoteUrl has_any (DataBrokerDomains), "CommercialDataBroker",
    "Unknown"
  )
| join kind=leftouter (
    DeviceLogonEvents
    | where Timestamp > ago(ObservedWindow)
    | where LogonType in ("Interactive", "RemoteInteractive")
    | summarize LastLogon=max(Timestamp), LogonCount=count() by DeviceName, AccountName
  ) on DeviceName
| project
    Timestamp,
    DeviceName,
    InitiatingProcessAccountName,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    RemoteUrl,
    RemoteIP,
    RemotePort,
    DomainCategory,
    LocalIPType,
    LocalPort
| summarize
    QueryCount=count(),
    FirstSeen=min(Timestamp),
    LastSeen=max(Timestamp),
    UniqueURLs=dcount(RemoteUrl),
    URLList=make_set(RemoteUrl, 20),
    ProcessList=make_set(InitiatingProcessFileName, 10)
    by DeviceName, InitiatingProcessAccountName, DomainCategory
| where QueryCount > 3 or DomainCategory == "TorOrDarkWebProxy"
| extend RiskScore = case(
    DomainCategory == "TorOrDarkWebProxy", 90,
    QueryCount > 50, 75,
    QueryCount > 20, 60,
    QueryCount > 5, 40,
    25
  )
| sort by RiskScore desc

Detects corporate endpoints making network connections to known commercial data broker platforms (RocketReach, ZoomInfo, CrunchBase, Apollo.io, etc.) and Tor/dark web proxy services. High-volume querying of data broker APIs from non-standard processes, or any Tor proxy connectivity, may indicate insider threat activity or a compromised endpoint being used to conduct reconnaissance against the organization or third parties. Aggregates connection counts per device/account to surface bulk querying patterns.

medium severity low confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceLogonEvents

False Positives

  • Sales and marketing teams legitimately using ZoomInfo, Apollo.io, or CrunchBase for lead generation and prospecting
  • HR and recruiting professionals using Clearbit, RocketReach, or Lusha to source candidates
  • Security researchers or threat intelligence analysts accessing dark web proxy services as part of authorized threat hunting
  • Automated CI/CD pipelines or marketing automation tools that enrich contact data via data broker APIs
  • Executives or business development staff conducting due diligence research on acquisition targets via Dun & Bradstreet or Hoovers

Sigma rule & cross-platform mapping

The detection logic for Search Closed Sources (T1597) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1597 Sigma rules on detection.fyi

Platform-specific guides for T1597

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-03-19 Research depth: deep
References (4)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Bulk Data Broker API Querying via Python Script

    Expected signal: Sysmon Event ID 22 (DNS Query) entries for api.hunter.io and hunter.io; DeviceNetworkEvents entries showing python.exe initiating connections to hunter.io; DeviceProcessEvents showing python3 execution with inline script containing data broker domain references

  2. Test 2Tor Browser DNS Resolution and Connection Attempt

    Expected signal: Sysmon Event ID 22 (DNS Query) for torproject.org subdomains; Sysmon Event ID 3 (Network Connection) to torproject.org on port 9030; DeviceNetworkEvents showing powershell.exe connecting to torproject.org; Windows Security Event 4688 for powershell.exe process creation

  3. Test 3Simulate EXOTIC LILY-Style Business Database Reconnaissance

    Expected signal: Linux audit logs (auditd) showing curl/dig/nslookup execution; syslog DNS resolution entries for all six data broker domains; stream:http events showing HEAD requests to rocketreach.co, crunchbase.com, zoominfo.com, apollo.io, lusha.com, clearbit.com

Unlock Pro Content

Get the full detection package for T1597 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hub

TA0043Reconnaissance

Sub-techniques (2)

Related Techniques

T1597.001Threat Intel VendorsT1597.002Purchase Technical DataT1592Gather Victim Host InformationT1593Search Open Websites/DomainsT1596Search Open Technical DatabasesT1598Phishing for InformationT1078Valid AccountsT1133External Remote ServicesT1590Gather Victim Network Information

Same Tactic: Reconnaissance

Popular Detections