T1597 Splunk · SPL

Detect Search Closed Sources in Splunk

This detection identifies potential adversary reconnaissance activity involving closed or paid data sources, including commercial threat intelligence vendors, dark web markets, and business intelligence databases. Since T1597 activity primarily occurs outside victim networks, direct detection is limited to second-order indicators: corporate endpoints accessing known data broker or OSINT aggregator platforms (potential insider threat or attacker using compromised access), network egress to dark web proxy services, and external threat intelligence alerting on organizational data appearing in closed criminal marketplaces. Detection confidence is low due to the pre-network nature of this technique, but behavioral patterns such as bulk querying of business intelligence APIs (RocketReach, ZoomInfo, CrunchBase) from non-business-role accounts, or Tor/I2P connectivity from corporate assets, can indicate reconnaissance or insider data harvesting activity.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1597 Search Closed Sources
Canonical reference
https://attack.mitre.org/techniques/T1597/

SPL Detection Query

Splunk (SPL)
spl 
index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22)
OR (sourcetype="stream:dns")
| eval domain=coalesce(QueryName, query)
| where isnotnull(domain)
| eval DomainCategory=case(
    match(domain, "(?i)(torproject\.org|tor2web\.org|onion\.to|onion\.link|darkfail\.net|dark\.fail)"), "TorOrDarkWebProxy",
    match(domain, "(?i)(rocketreach\.co|zoominfo\.com|crunchbase\.com|hoovers\.com|dnb\.com|spokeo\.com|intelius\.com|pipl\.com|beenverified\.com|clearbit\.com|hunter\.io|fullcontact\.com|datanyze\.com|apollo\.io|lusha\.com|seamless\.ai|demandbase\.com)"), "CommercialDataBroker",
    null()
  )
| where isnotnull(DomainCategory)
| eval host=coalesce(Computer, host)
| eval user=coalesce(User, user)
| stats
    count AS QueryCount,
    min(_time) AS FirstSeen,
    max(_time) AS LastSeen,
    dc(domain) AS UniqueDomains,
    values(domain) AS DomainList
    by host, user, DomainCategory
| where QueryCount > 3 OR DomainCategory="TorOrDarkWebProxy"
| eval RiskScore=case(
    DomainCategory="TorOrDarkWebProxy", 90,
    QueryCount > 50, 75,
    QueryCount > 20, 60,
    QueryCount > 5, 40,
    true(), 25
  )
| eval FirstSeen=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S"),
       LastSeen=strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
| table host, user, DomainCategory, QueryCount, UniqueDomains, DomainList, FirstSeen, LastSeen, RiskScore
| sort - RiskScore
medium severity low confidence

Detects DNS queries (via Sysmon Event ID 22 or stream:dns) to known commercial data broker domains and Tor/dark web proxy services. Aggregates query volume per host and user to surface bulk OSINT reconnaissance patterns. Any Tor proxy DNS resolution from a corporate endpoint is flagged at high risk regardless of frequency.

Data Sources

SysmonSplunk Stream DNS

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operationalstream:dns

False Positives & Tuning

  • Sales operations teams with CRM integrations that auto-enrich leads via ZoomInfo or Apollo.io, generating high DNS query volumes
  • Security operations teams running authorized dark web monitoring or threat intelligence tooling that queries onion proxies
  • Marketing automation platforms (HubSpot, Marketo) that call data enrichment APIs in the background during contact sync operations
  • IT asset management tools that perform reverse lookups against network intelligence services
  • Developer workstations running open source intelligence (OSINT) tools like theHarvester, Maltego, or Recon-ng for authorized security assessments
Download portable Sigma rule (.yml)

Other platforms for T1597

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Bulk Data Broker API Querying via Python Script

    Expected signal: Sysmon Event ID 22 (DNS Query) entries for api.hunter.io and hunter.io; DeviceNetworkEvents entries showing python.exe initiating connections to hunter.io; DeviceProcessEvents showing python3 execution with inline script containing data broker domain references

  2. Test 2Tor Browser DNS Resolution and Connection Attempt

    Expected signal: Sysmon Event ID 22 (DNS Query) for torproject.org subdomains; Sysmon Event ID 3 (Network Connection) to torproject.org on port 9030; DeviceNetworkEvents showing powershell.exe connecting to torproject.org; Windows Security Event 4688 for powershell.exe process creation

  3. Test 3Simulate EXOTIC LILY-Style Business Database Reconnaissance

    Expected signal: Linux audit logs (auditd) showing curl/dig/nslookup execution; syslog DNS resolution entries for all six data broker domains; stream:http events showing HEAD requests to rocketreach.co, crunchbase.com, zoominfo.com, apollo.io, lusha.com, clearbit.com

Last updated: 2026-03-19 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1597 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1597.001Threat Intel VendorsT1597.002Purchase Technical DataT1592Gather Victim Host InformationT1593Search Open Websites/DomainsT1596Search Open Technical DatabasesT1598Phishing for InformationT1078Valid AccountsT1133External Remote ServicesT1590Gather Victim Network Information

Same Tactic: Reconnaissance

Popular Detections