Detect Search Threat Vendor Data in Splunk
Detects adversary reconnaissance activity where threat actors query threat intelligence vendor services — such as VirusTotal, Shodan, Recorded Future, AlienVault OTX, or GreyNoise — to monitor whether their own infrastructure, malware samples, or campaign indicators have been detected and published. Since this technique primarily occurs outside the victim network, detections are indirect and focus on observable side effects: suspicious outbound connections to threat intel APIs from hosts with no legitimate business reason, correlation of known malicious IP indicators making threat intel queries visible through egress proxy logs, and rapid indicator rotation patterns following public threat intel disclosures. Adversaries have been documented replacing flagged indicators within days of publication, making behavioral correlation between threat intel release timestamps and infrastructure changes a secondary hunting signal.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1681 Search Threat Vendor Data
- Canonical reference
- https://attack.mitre.org/techniques/T1681/
SPL Detection Query
index=proxy OR index=firewall OR index=web
sourcetype="bluecoat:proxysg:access:kv" OR sourcetype=squid OR sourcetype="cisco:wsa:squid" OR sourcetype="palo_alto_networks:firewall" OR sourcetype="cisco:asa"
| eval req_url = lower(coalesce(url, cs_uri_stem, dest_url, "-"))
| eval src = coalesce(src_ip, c_ip, src, "-")
| eval user = coalesce(cs_username, user, src_user, "unknown")
| where like(req_url, "%virustotal.com%")
OR like(req_url, "%shodan.io%")
OR like(req_url, "%api.recordedfuture.com%")
OR like(req_url, "%otx.alienvault.com%")
OR like(req_url, "%urlscan.io%")
OR like(req_url, "%greynoise.io%")
OR like(req_url, "%malwarebazaar.abuse.ch%")
OR like(req_url, "%threatfox.abuse.ch%")
OR like(req_url, "%bazaar.abuse.ch%")
OR like(req_url, "%hybrid-analysis.com%")
OR like(req_url, "%tria.ge%")
OR like(req_url, "%pulsedive.com%")
| where NOT (user="svc-threathunting" OR user="svc-siem" OR user="soc-analyst" OR user="siem-collector")
| where NOT (action="blocked" OR action="denied")
| lookup threat_intel_ips ip AS src OUTPUT threat_score threat_category
| eval threat_score = coalesce(threat_score, 0)
| stats
count AS query_count,
dc(req_url) AS unique_urls,
values(req_url) AS sampled_urls,
values(user) AS users,
min(_time) AS first_seen,
max(_time) AS last_seen,
max(threat_score) AS max_threat_score
BY src
| eval risk_flag = case(
max_threat_score > 70, "KnownMaliciousSource",
query_count > 100, "HighVolumeNonSOC",
unique_urls > 20, "BroadRecon",
1=1, "Low"
)
| where risk_flag != "Low"
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| table src, query_count, unique_urls, sampled_urls, users, first_seen, last_seen, max_threat_score, risk_flag
| sort -max_threat_score -query_countSearches proxy and firewall logs for outbound connections to known threat intelligence vendor platforms and APIs from hosts that are not established SOC service accounts. Enriches results with a threat intel IP lookup to flag cases where known malicious source IPs are querying threat intel services — consistent with adversaries using compromised or attacker-controlled infrastructure to monitor their own detection status. High-volume, non-SOC queries are also flagged as potential automated reconnaissance.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Automated SOAR enrichment pipelines using shared service accounts not on the exclusion list
- Developer workstations where security researchers are manually investigating malware samples or campaign indicators
- Threat intelligence platform integrations that aggregate data from multiple vendors through proxy-visible egress
- Security tool vendor agents performing cloud reputation checks that route through corporate proxy
- Red team or penetration testing engagements performing infrastructure OSINT through corporate egress
Other platforms for T1681
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VirusTotal API Indicator Self-Lookup via PowerShell
Expected signal: Sysmon Event ID 3 (Network Connection) showing powershell.exe connecting to www.virustotal.com:443. Proxy logs (CommonSecurityLog / squid) showing HTTPS CONNECT to www.virustotal.com with User-Agent indicating PowerShell Invoke-RestMethod. DNS query (Sysmon Event ID 22) for www.virustotal.com.
- Test 2Shodan Infrastructure Reconnaissance via Python Script
Expected signal: Linux auditd SYSCALL records for execve of python3 with the Shodan API script content. Network connection logs (firewall/proxy) showing outbound HTTPS to api.shodan.io:443 from the test host. DNS query log entry for api.shodan.io.
- Test 3Automated Multi-Vendor Threat Intel Sweep Simulating Adversary Self-Monitoring
Expected signal: Network/proxy logs showing sequential outbound HTTPS connections to urlscan.io, threatfox-api.abuse.ch (abuse.ch), and api.greynoise.io within a 30-second window from the same source IP. Auditd SYSCALL records for execve of curl (or bash executing the script). DNS queries for all three domains in rapid succession.
Unlock Pro Content
Get the full detection package for T1681 including response playbook, investigation guide, and atomic red team tests.