Detect Search Closed Sources in Microsoft Sentinel
This detection identifies potential adversary reconnaissance activity involving closed or paid data sources, including commercial threat intelligence vendors, dark web markets, and business intelligence databases. Since T1597 activity primarily occurs outside victim networks, direct detection is limited to second-order indicators: corporate endpoints accessing known data broker or OSINT aggregator platforms (potential insider threat or attacker using compromised access), network egress to dark web proxy services, and external threat intelligence alerting on organizational data appearing in closed criminal marketplaces. Detection confidence is low due to the pre-network nature of this technique, but behavioral patterns such as bulk querying of business intelligence APIs (RocketReach, ZoomInfo, CrunchBase) from non-business-role accounts, or Tor/I2P connectivity from corporate assets, can indicate reconnaissance or insider data harvesting activity.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1597 Search Closed Sources
- Canonical reference
- https://attack.mitre.org/techniques/T1597/
KQL Detection Query
let DataBrokerDomains = dynamic([
"rocketreach.co", "zoominfo.com", "crunchbase.com", "hoovers.com",
"dun.com", "dnb.com", "spokeo.com", "intelius.com", "pipl.com",
"beenverified.com", "whitepages.com", "clearbit.com", "hunter.io",
"fullcontact.com", "datanyze.com", "apollo.io", "lusha.com",
"seamless.ai", "slintel.com", "demandbase.com"
]);
let TorRelayIndicators = dynamic([
"torproject.org", "tor2web.org", "onion.to", "onion.link",
"darkfail.net", "dark.fail"
]);
let ObservedWindow = 24h;
DeviceNetworkEvents
| where Timestamp > ago(ObservedWindow)
| where ActionType in ("ConnectionSuccess", "InboundConnectionAccepted", "HttpConnectionInspected")
| where RemoteUrl has_any (DataBrokerDomains) or RemoteUrl has_any (TorRelayIndicators)
| extend DomainCategory = case(
RemoteUrl has_any (TorRelayIndicators), "TorOrDarkWebProxy",
RemoteUrl has_any (DataBrokerDomains), "CommercialDataBroker",
"Unknown"
)
| join kind=leftouter (
DeviceLogonEvents
| where Timestamp > ago(ObservedWindow)
| where LogonType in ("Interactive", "RemoteInteractive")
| summarize LastLogon=max(Timestamp), LogonCount=count() by DeviceName, AccountName
) on DeviceName
| project
Timestamp,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
RemoteUrl,
RemoteIP,
RemotePort,
DomainCategory,
LocalIPType,
LocalPort
| summarize
QueryCount=count(),
FirstSeen=min(Timestamp),
LastSeen=max(Timestamp),
UniqueURLs=dcount(RemoteUrl),
URLList=make_set(RemoteUrl, 20),
ProcessList=make_set(InitiatingProcessFileName, 10)
by DeviceName, InitiatingProcessAccountName, DomainCategory
| where QueryCount > 3 or DomainCategory == "TorOrDarkWebProxy"
| extend RiskScore = case(
DomainCategory == "TorOrDarkWebProxy", 90,
QueryCount > 50, 75,
QueryCount > 20, 60,
QueryCount > 5, 40,
25
)
| sort by RiskScore descDetects corporate endpoints making network connections to known commercial data broker platforms (RocketReach, ZoomInfo, CrunchBase, Apollo.io, etc.) and Tor/dark web proxy services. High-volume querying of data broker APIs from non-standard processes, or any Tor proxy connectivity, may indicate insider threat activity or a compromised endpoint being used to conduct reconnaissance against the organization or third parties. Aggregates connection counts per device/account to surface bulk querying patterns.
Data Sources
Required Tables
False Positives & Tuning
- Sales and marketing teams legitimately using ZoomInfo, Apollo.io, or CrunchBase for lead generation and prospecting
- HR and recruiting professionals using Clearbit, RocketReach, or Lusha to source candidates
- Security researchers or threat intelligence analysts accessing dark web proxy services as part of authorized threat hunting
- Automated CI/CD pipelines or marketing automation tools that enrich contact data via data broker APIs
- Executives or business development staff conducting due diligence research on acquisition targets via Dun & Bradstreet or Hoovers
Other platforms for T1597
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Bulk Data Broker API Querying via Python Script
Expected signal: Sysmon Event ID 22 (DNS Query) entries for api.hunter.io and hunter.io; DeviceNetworkEvents entries showing python.exe initiating connections to hunter.io; DeviceProcessEvents showing python3 execution with inline script containing data broker domain references
- Test 2Tor Browser DNS Resolution and Connection Attempt
Expected signal: Sysmon Event ID 22 (DNS Query) for torproject.org subdomains; Sysmon Event ID 3 (Network Connection) to torproject.org on port 9030; DeviceNetworkEvents showing powershell.exe connecting to torproject.org; Windows Security Event 4688 for powershell.exe process creation
- Test 3Simulate EXOTIC LILY-Style Business Database Reconnaissance
Expected signal: Linux audit logs (auditd) showing curl/dig/nslookup execution; syslog DNS resolution entries for all six data broker domains; stream:http events showing HEAD requests to rocketreach.co, crunchbase.com, zoominfo.com, apollo.io, lusha.com, clearbit.com
References (6)
- https://attack.mitre.org/techniques/T1597/
- https://attack.mitre.org/techniques/T1597/001/
- https://attack.mitre.org/techniques/T1597/002/
- https://attack.mitre.org/groups/G1011/
- https://blog.google/threat-analysis-group/exotic-lily-initial-access-broker/
- https://www.zdnet.com/article/a-sellers-market-why-personal-data-sold-on-dark-web-is-cheaper-than-ever/
Unlock Pro Content
Get the full detection package for T1597 including response playbook, investigation guide, and atomic red team tests.