T1681

Search Threat Vendor Data

Reconnaissance Last updated:

Detects adversary reconnaissance activity where threat actors query threat intelligence vendor services — such as VirusTotal, Shodan, Recorded Future, AlienVault OTX, or GreyNoise — to monitor whether their own infrastructure, malware samples, or campaign indicators have been detected and published. Since this technique primarily occurs outside the victim network, detections are indirect and focus on observable side effects: suspicious outbound connections to threat intel APIs from hosts with no legitimate business reason, correlation of known malicious IP indicators making threat intel queries visible through egress proxy logs, and rapid indicator rotation patterns following public threat intel disclosures. Adversaries have been documented replacing flagged indicators within days of publication, making behavioral correlation between threat intel release timestamps and infrastructure changes a secondary hunting signal.

What is T1681 Search Threat Vendor Data?

Search Threat Vendor Data (T1681) maps to the Reconnaissance tactic — the adversary is trying to gather information they can use to plan future operations in MITRE ATT&CK.

This page provides production-ready detection logic for Search Threat Vendor Data, covering the data sources and telemetry it touches: Microsoft Sentinel, Network Proxy / Firewall (CEF format), Microsoft Defender Threat Intelligence. The queries below are rated medium severity at low confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1681 Search Threat Vendor Data
Canonical reference
https://attack.mitre.org/techniques/T1681/
Microsoft Sentinel / Defender
kusto 
let ThreatIntelAPIs = dynamic([
    "virustotal.com", "api.virustotal.com",
    "api.shodan.io", "shodan.io",
    "api.recordedfuture.com", "app.recordedfuture.com",
    "api.greynoise.io", "viz.greynoise.io",
    "otx.alienvault.com",
    "urlscan.io", "urlscan.io",
    "malwarebazaar.abuse.ch", "bazaar.abuse.ch",
    "threatfox.abuse.ch",
    "mb-api.abuse.ch",
    "pulsedive.com",
    "api.threatminer.org",
    "www.hybrid-analysis.com", "api.hybrid-analysis.com",
    "tria.ge", "api.tria.ge",
    "any.run"
]);
let KnownSOCAccounts = dynamic(["svc-threathunting", "svc-siem", "soc-analyst", "siem-collector"]);
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where isnotempty(RequestURL)
| extend AccessedDomain = tolower(extract(@"(?:https?://)?([^/:?#\\s]+)", 1, RequestURL))
| where AccessedDomain has_any (ThreatIntelAPIs)
| where SourceUserName !in~ (KnownSOCAccounts)
| where DeviceAction !in ("block", "deny", "drop")
| summarize
    QueryCount = count(),
    UniqueURLs = dcount(RequestURL),
    SampledURLs = make_set(RequestURL, 10),
    UserAccounts = make_set(SourceUserName, 10),
    BytesOut = sum(SentBytes),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by SourceIP, AccessedDomain
| join kind=leftouter (
    ThreatIntelligenceIndicator
    | where TimeGenerated > ago(30d)
    | where IsActive == true
    | where IndicatorType == "networkip"
    | summarize ThreatScore = max(ConfidenceScore), ThreatTypes = make_set(ThreatType, 5) by NetworkIP
) on $left.SourceIP == $right.NetworkIP
| extend RiskFlag = case(
    isnotempty(ThreatScore) and ThreatScore > 70, "KnownMaliciousSource",
    QueryCount > 100 and array_length(UserAccounts) == 1, "HighVolumeNonSOC",
    UniqueURLs > 20, "BroadRecon",
    "Low"
)
| where RiskFlag != "Low"
| project FirstSeen, LastSeen, SourceIP, AccessedDomain, QueryCount, UniqueURLs, SampledURLs, UserAccounts, ThreatScore, ThreatTypes, RiskFlag
| sort by ThreatScore desc, QueryCount desc

Monitors proxy and firewall logs (CommonSecurityLog) for outbound connections from internal hosts to known threat intelligence vendor APIs and platforms. Correlates source IPs against the ThreatIntelligenceIndicator table to flag when hosts with existing threat intelligence hits are querying these services — a pattern consistent with adversaries checking if their infrastructure has been detected and reported. Also flags high-volume, non-SOC queries suggesting automated reconnaissance.

medium severity low confidence

Data Sources

Microsoft Sentinel Network Proxy / Firewall (CEF format) Microsoft Defender Threat Intelligence

Required Tables

CommonSecurityLog ThreatIntelligenceIndicator

False Positives

  • Security Operations Center analysts performing daily threat hunting or indicator enrichment via threat intel APIs
  • Automated SOAR playbooks or SIEM enrichment workflows querying VirusTotal or similar platforms to enrich alerts
  • Vulnerability management or penetration testing tools performing infrastructure fingerprinting via Shodan
  • Security researchers and threat intelligence teams conducting legitimate campaign analysis
  • Endpoint protection platforms that perform cloud-based file reputation lookups through proxy-visible connections

Sigma rule & cross-platform mapping

The detection logic for Search Threat Vendor Data (T1681) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1681 Sigma rules on detection.fyi

Platform-specific guides for T1681

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-03-20 Research depth: deep
References (4)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VirusTotal API Indicator Self-Lookup via PowerShell

    Expected signal: Sysmon Event ID 3 (Network Connection) showing powershell.exe connecting to www.virustotal.com:443. Proxy logs (CommonSecurityLog / squid) showing HTTPS CONNECT to www.virustotal.com with User-Agent indicating PowerShell Invoke-RestMethod. DNS query (Sysmon Event ID 22) for www.virustotal.com.

  2. Test 2Shodan Infrastructure Reconnaissance via Python Script

    Expected signal: Linux auditd SYSCALL records for execve of python3 with the Shodan API script content. Network connection logs (firewall/proxy) showing outbound HTTPS to api.shodan.io:443 from the test host. DNS query log entry for api.shodan.io.

  3. Test 3Automated Multi-Vendor Threat Intel Sweep Simulating Adversary Self-Monitoring

    Expected signal: Network/proxy logs showing sequential outbound HTTPS connections to urlscan.io, threatfox-api.abuse.ch (abuse.ch), and api.greynoise.io within a 30-second window from the same source IP. Auditd SYSCALL records for execve of curl (or bash executing the script). DNS queries for all three domains in rapid succession.

Unlock Pro Content

Get the full detection package for T1681 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hub

TA0043Reconnaissance

Related Techniques

T1597.001Threat Intel VendorsT1596Search Open Technical DatabasesT1590Gather Victim Network InformationT1584Compromise InfrastructureT1070Indicator Removal

Same Tactic: Reconnaissance

Popular Detections