Detect Search Threat Vendor Data in CrowdStrike LogScale
Detects adversary reconnaissance activity where threat actors query threat intelligence vendor services — such as VirusTotal, Shodan, Recorded Future, AlienVault OTX, or GreyNoise — to monitor whether their own infrastructure, malware samples, or campaign indicators have been detected and published. Since this technique primarily occurs outside the victim network, detections are indirect and focus on observable side effects: suspicious outbound connections to threat intel APIs from hosts with no legitimate business reason, correlation of known malicious IP indicators making threat intel queries visible through egress proxy logs, and rapid indicator rotation patterns following public threat intel disclosures. Adversaries have been documented replacing flagged indicators within days of publication, making behavioral correlation between threat intel release timestamps and infrastructure changes a secondary hunting signal.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1681 Search Threat Vendor Data
- Canonical reference
- https://attack.mitre.org/techniques/T1681/
LogScale Detection Query
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta)\.exe$/
| CommandLine = /(?i)(-enc|-bypass|invoke-expression)/
| case {
CommandLine = /(?i)-enc/ | DetectionType := "EncodedCommand" ;
CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
* | DetectionType := "SuspiciousExecution"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, ProcessId])
| sort(@timestamp, order=desc, limit=100)CrowdStrike LogScale CQL detection for Search Threat Vendor Data (T1681). Queries Falcon telemetry for search threat vendor data behavioral indicators aligned with MITRE ATT&CK T1681.
Data Sources
Required Tables
False Positives & Tuning
- Security Operations Center analysts performing daily threat hunting or indicator enrichment via threat intel APIs
- Automated SOAR playbooks or SIEM enrichment workflows querying VirusTotal or similar platforms to enrich alerts
- Vulnerability management or penetration testing tools performing infrastructure fingerprinting via Shodan
Other platforms for T1681
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VirusTotal API Indicator Self-Lookup via PowerShell
Expected signal: Sysmon Event ID 3 (Network Connection) showing powershell.exe connecting to www.virustotal.com:443. Proxy logs (CommonSecurityLog / squid) showing HTTPS CONNECT to www.virustotal.com with User-Agent indicating PowerShell Invoke-RestMethod. DNS query (Sysmon Event ID 22) for www.virustotal.com.
- Test 2Shodan Infrastructure Reconnaissance via Python Script
Expected signal: Linux auditd SYSCALL records for execve of python3 with the Shodan API script content. Network connection logs (firewall/proxy) showing outbound HTTPS to api.shodan.io:443 from the test host. DNS query log entry for api.shodan.io.
- Test 3Automated Multi-Vendor Threat Intel Sweep Simulating Adversary Self-Monitoring
Expected signal: Network/proxy logs showing sequential outbound HTTPS connections to urlscan.io, threatfox-api.abuse.ch (abuse.ch), and api.greynoise.io within a 30-second window from the same source IP. Auditd SYSCALL records for execve of curl (or bash executing the script). DNS queries for all three domains in rapid succession.
Unlock Pro Content
Get the full detection package for T1681 including response playbook, investigation guide, and atomic red team tests.