Detect Threat Intel Vendors in Google Chronicle
Adversaries may search private threat intelligence vendor data for information that can be used during targeting. Threat intelligence vendors offer paid feeds, APIs, and portals containing richer contextual data than publicly reported sources — including breach trends, victim industry attribution, successful TTPs, countermeasures, and named threat actor profiles. Adversaries may register accounts under false pretenses, use stolen credentials, or leverage legitimate existing subscriptions to query vendor platforms such as Recorded Future, Mandiant Advantage, CrowdStrike Falcon Intelligence, IBM X-Force Exchange, VirusTotal Intelligence, Shodan, and similar services. The gathered intelligence informs more targeted intrusion campaigns by revealing defensive gaps, preferred targets in a sector, and previously successful attack chains. Detection is extremely difficult because adversary activity occurs entirely on third-party platforms outside the victim organization's telemetry boundary. Victim-side detection relies on anomalous access patterns to SSO-connected TI platforms, API key misuse, and downstream behavioral indicators resulting from the intelligence gathered.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1597 Search Closed Sources
- Sub-technique
- T1597.001 Threat Intel Vendors
- Canonical reference
- https://attack.mitre.org/techniques/T1597/001/
YARA-L Detection Query
rule t1597_001_threat_intel_vendors {
meta:
author = "df00tech"
description = "Detects Threat Intel Vendors (T1597.001)"
mitre_attack_tactic = "TA0043"
mitre_attack_technique = "T1597.001"
confidence = "low"
severity = "medium"
events:
$e.metadata.event_type = "USER_LOGIN"
$e.principal.user.userid != ""
condition:
$e
}Google Chronicle YARA-L 2.0 detection rule for Threat Intel Vendors (T1597.001). Uses Unified Data Model (UDM) event field mappings to detect the same behavioral patterns as the KQL rule, with Chronicle's temporal matching and entity correlation capabilities.
Data Sources
Required Tables
False Positives & Tuning
- Security analysts performing routine threat intelligence lookups against vendor APIs during incident investigations
- SOAR/XSOAR playbooks and automated enrichment pipelines (e.g., Cortex, Splunk SOAR) making programmatic API calls to TI vendors using service account credentials
- Threat intelligence platforms (TIPs) like MISP, OpenCTI, or ThreatConnect ingesting feeds via scheduled API jobs
- Vulnerability management or red team tooling querying Shodan or VirusTotal for asset discovery
Other platforms for T1597.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VirusTotal Public API Reconnaissance Query
Expected signal: Proxy/web gateway logs: outbound HTTP GET to api.virustotal.com with URI paths /api/v3/domains/ and /api/v3/ip_addresses/. User-Agent: curl/<version>. Sysmon Event ID 3 (Network Connection) if running on a monitored endpoint: DestinationHostName=www.virustotal.com, DestinationPort=443. DNS query (Sysmon Event ID 22) for virustotal.com.
- Test 2Shodan API Infrastructure Scan Query
Expected signal: Proxy logs: outbound HTTPS GET requests to api.shodan.io with paths /shodan/host/search and /api-info. URI query strings containing key= (API key parameter), query= (search terms). User-Agent: curl. DNS resolution of api.shodan.io. Sysmon Event ID 3 (Network Connection): DestinationHostName=api.shodan.io, DestinationPort=443.
- Test 3Python Script Bulk TI Vendor Query Simulation
Expected signal: Sysmon Event ID 3 (Network Connection): multiple outbound connections to virustotal.com, greynoise.io, otx.alienvault.com, pulsedive.com on port 443. InitiatingProcessFileName=python3. DNS resolution events (Sysmon Event ID 22) for each TI vendor domain. Proxy logs: HTTP GET requests from python-requests User-Agent to multiple TI vendor APIs within a short time window.
- Test 4Recorded Future API Key Enumeration (Credential Exposure Test)
Expected signal: Sysmon Event ID 3 (Network Connection): outbound connections from powershell.exe to api.recordedfuture.com and www.virustotal.com on port 443. Sysmon Event ID 22 (DNS Query): DNS lookups for api.recordedfuture.com, www.virustotal.com. Sysmon Event ID 1 (Process Create): PowerShell execution with Invoke-WebRequest in command line. PowerShell ScriptBlock Log Event ID 4104: full script including API endpoint URLs. Proxy/firewall logs: HTTPS CONNECT to api.recordedfuture.com with python-requests User-Agent.
References (8)
- https://attack.mitre.org/techniques/T1597/001/
- https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
- https://www.recordedfuture.com/platform/threat-intelligence
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-commonsecuritylog-table
- https://docs.splunk.com/Documentation/CIM/latest/User/Web
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1597.001/T1597.001.md
- https://www.mandiant.com/resources/blog/how-threat-intelligence-is-used-by-defenders
Unlock Pro Content
Get the full detection package for T1597.001 including response playbook, investigation guide, and atomic red team tests.