Detect Search Closed Sources in Elastic Security
This detection identifies potential adversary reconnaissance activity involving closed or paid data sources, including commercial threat intelligence vendors, dark web markets, and business intelligence databases. Since T1597 activity primarily occurs outside victim networks, direct detection is limited to second-order indicators: corporate endpoints accessing known data broker or OSINT aggregator platforms (potential insider threat or attacker using compromised access), network egress to dark web proxy services, and external threat intelligence alerting on organizational data appearing in closed criminal marketplaces. Detection confidence is low due to the pre-network nature of this technique, but behavioral patterns such as bulk querying of business intelligence APIs (RocketReach, ZoomInfo, CrunchBase) from non-business-role accounts, or Tor/I2P connectivity from corporate assets, can indicate reconnaissance or insider data harvesting activity.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1597 Search Closed Sources
- Canonical reference
- https://attack.mitre.org/techniques/T1597/
Elastic Detection Query
// T1597 — Search Closed Sources
any where event.dataset : "network_traffic.http"
and url.domain : (
"rocketreach.co", "zoominfo.com", "dnb.com",
"spokeo.com", "pipl.com", "clearbit.com", "hunter.io",
"crunchbase.com", "beenverified.com", "intelius.com"
)Elastic EQL detection for Search Closed Sources (T1597). Translates the Microsoft Sentinel KQL logic to Elastic Common Schema (ECS) field mappings for use in Elastic SIEM. Targets the same behavioral indicators across process creation, network, and authentication event types.
Data Sources
Required Tables
False Positives & Tuning
- Sales and marketing teams legitimately using ZoomInfo, Apollo.io, or CrunchBase for lead generation and prospecting
- HR and recruiting professionals using Clearbit, RocketReach, or Lusha to source candidates
- Security researchers or threat intelligence analysts accessing dark web proxy services as part of authorized threat hunting
- Automated CI/CD pipelines or marketing automation tools that enrich contact data via data broker APIs
Other platforms for T1597
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Bulk Data Broker API Querying via Python Script
Expected signal: Sysmon Event ID 22 (DNS Query) entries for api.hunter.io and hunter.io; DeviceNetworkEvents entries showing python.exe initiating connections to hunter.io; DeviceProcessEvents showing python3 execution with inline script containing data broker domain references
- Test 2Tor Browser DNS Resolution and Connection Attempt
Expected signal: Sysmon Event ID 22 (DNS Query) for torproject.org subdomains; Sysmon Event ID 3 (Network Connection) to torproject.org on port 9030; DeviceNetworkEvents showing powershell.exe connecting to torproject.org; Windows Security Event 4688 for powershell.exe process creation
- Test 3Simulate EXOTIC LILY-Style Business Database Reconnaissance
Expected signal: Linux audit logs (auditd) showing curl/dig/nslookup execution; syslog DNS resolution entries for all six data broker domains; stream:http events showing HEAD requests to rocketreach.co, crunchbase.com, zoominfo.com, apollo.io, lusha.com, clearbit.com
References (6)
- https://attack.mitre.org/techniques/T1597/
- https://attack.mitre.org/techniques/T1597/001/
- https://attack.mitre.org/techniques/T1597/002/
- https://attack.mitre.org/groups/G1011/
- https://blog.google/threat-analysis-group/exotic-lily-initial-access-broker/
- https://www.zdnet.com/article/a-sellers-market-why-personal-data-sold-on-dark-web-is-cheaper-than-ever/
Unlock Pro Content
Get the full detection package for T1597 including response playbook, investigation guide, and atomic red team tests.