Search Closed Sources
This detection identifies potential adversary reconnaissance activity involving closed or paid data sources, including commercial threat intelligence vendors, dark web markets, and business intelligence databases. Since T1597 activity primarily occurs outside victim networks, direct detection is limited to second-order indicators: corporate endpoints accessing known data broker or OSINT aggregator platforms (potential insider threat or attacker using compromised access), network egress to dark web proxy services, and external threat intelligence alerting on organizational data appearing in closed criminal marketplaces. Detection confidence is low due to the pre-network nature of this technique, but behavioral patterns such as bulk querying of business intelligence APIs (RocketReach, ZoomInfo, CrunchBase) from non-business-role accounts, or Tor/I2P connectivity from corporate assets, can indicate reconnaissance or insider data harvesting activity.
let DataBrokerDomains = dynamic([
"rocketreach.co", "zoominfo.com", "crunchbase.com", "hoovers.com",
"dun.com", "dnb.com", "spokeo.com", "intelius.com", "pipl.com",
"beenverified.com", "whitepages.com", "clearbit.com", "hunter.io",
"fullcontact.com", "datanyze.com", "apollo.io", "lusha.com",
"seamless.ai", "slintel.com", "demandbase.com"
]);
let TorRelayIndicators = dynamic([
"torproject.org", "tor2web.org", "onion.to", "onion.link",
"darkfail.net", "dark.fail"
]);
let ObservedWindow = 24h;
DeviceNetworkEvents
| where Timestamp > ago(ObservedWindow)
| where ActionType in ("ConnectionSuccess", "InboundConnectionAccepted", "HttpConnectionInspected")
| where RemoteUrl has_any (DataBrokerDomains) or RemoteUrl has_any (TorRelayIndicators)
| extend DomainCategory = case(
RemoteUrl has_any (TorRelayIndicators), "TorOrDarkWebProxy",
RemoteUrl has_any (DataBrokerDomains), "CommercialDataBroker",
"Unknown"
)
| join kind=leftouter (
DeviceLogonEvents
| where Timestamp > ago(ObservedWindow)
| where LogonType in ("Interactive", "RemoteInteractive")
| summarize LastLogon=max(Timestamp), LogonCount=count() by DeviceName, AccountName
) on DeviceName
| project
Timestamp,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
RemoteUrl,
RemoteIP,
RemotePort,
DomainCategory,
LocalIPType,
LocalPort
| summarize
QueryCount=count(),
FirstSeen=min(Timestamp),
LastSeen=max(Timestamp),
UniqueURLs=dcount(RemoteUrl),
URLList=make_set(RemoteUrl, 20),
ProcessList=make_set(InitiatingProcessFileName, 10)
by DeviceName, InitiatingProcessAccountName, DomainCategory
| where QueryCount > 3 or DomainCategory == "TorOrDarkWebProxy"
| extend RiskScore = case(
DomainCategory == "TorOrDarkWebProxy", 90,
QueryCount > 50, 75,
QueryCount > 20, 60,
QueryCount > 5, 40,
25
)
| sort by RiskScore descData Sources
Required Tables
False Positives
- Sales and marketing teams legitimately using ZoomInfo, Apollo.io, or CrunchBase for lead generation and prospecting
- HR and recruiting professionals using Clearbit, RocketReach, or Lusha to source candidates
- Security researchers or threat intelligence analysts accessing dark web proxy services as part of authorized threat hunting
- Automated CI/CD pipelines or marketing automation tools that enrich contact data via data broker APIs
- Executives or business development staff conducting due diligence research on acquisition targets via Dun & Bradstreet or Hoovers
References (6)
- https://attack.mitre.org/techniques/T1597/
- https://attack.mitre.org/techniques/T1597/001/
- https://attack.mitre.org/techniques/T1597/002/
- https://attack.mitre.org/groups/G1011/
- https://blog.google/threat-analysis-group/exotic-lily-initial-access-broker/
- https://www.zdnet.com/article/a-sellers-market-why-personal-data-sold-on-dark-web-is-cheaper-than-ever/
Unlock Pro Content
Get the full detection package for T1597 including response playbook, investigation guide, and atomic red team tests.