T1589.003

Employee Names

Adversaries may gather employee names that can be used during targeting. Employee names can be used to derive email addresses as well as to help guide other reconnaissance efforts and craft more-believable lures. Adversaries may easily gather employee names since they may be readily available and exposed via online or other accessible data sets such as social media, LinkedIn, corporate websites, and press releases. Real-world threat actors including Kimsuky, Sandworm Team, and Silent Librarian have been observed collecting victim employee name information to support subsequent phishing campaigns, credential attacks, and social engineering operations. Detection is inherently challenging because this activity primarily occurs outside the victim's environment on public platforms. Effective detection pivots to monitoring organization-owned web properties for automated scraping, tracking OSINT tool execution on monitored endpoints, and identifying downstream artifacts such as systematic user enumeration via authentication systems.

Microsoft Sentinel / Defender

kusto

// Employee Name Harvesting — Corporate Web Directory Scraping Detection
// Detects high-rate automated access to employee/team listing pages via WAF and proxy telemetry
// Also surfaces OSINT harvesting tool execution on monitored endpoints
let DirectoryPaths = dynamic([
    "/team", "/about", "/about-us", "/staff", "/employees", "/directory",
    "/people", "/our-team", "/leadership", "/management", "/company/team",
    "/meet-the-team", "/who-we-are", "/bios", "/partners", "/board"
]);
let HarvestingTools = dynamic([
    "theHarvester", "theharvester", "recon-ng", "CrossLinked", "crosslinked",
    "linkedin2username", "linkedin_username", "phonebook.cz", "hunter.io",
    "osintframework", "maltego", "SpiderFoot", "spiderfoot"
]);
// Branch 1: Automated scraping of corporate employee directory pages
let WebScraping =
    CommonSecurityLog
    | where TimeGenerated > ago(1h)
    | where RequestURL has_any (DirectoryPaths)
    | where isnotempty(SourceIP)
    | summarize
        RequestCount = count(),
        UniquePages = dcount(RequestURL),
        UniqueUserAgents = dcount(RequestClientApplication),
        UserAgentSample = make_set(RequestClientApplication, 3),
        FirstSeen = min(TimeGenerated),
        LastSeen = max(TimeGenerated)
        by SourceIP, DestinationHostName
    | extend ElapsedSeconds = datetime_diff('second', LastSeen, FirstSeen)
    | extend RequestsPerMinute = iff(ElapsedSeconds > 0, toreal(RequestCount) / toreal(ElapsedSeconds) * 60.0, 0.0)
    | where RequestCount > 25 or RequestsPerMinute > 5.0
    | extend ScrapeRisk = case(
        UniqueUserAgents == 1 and RequestCount > 60, "HIGH — uniform UA, high volume",
        RequestsPerMinute > 15.0, "HIGH — rapid sequential requests",
        RequestCount > 40 and UniquePages > 8, "MEDIUM — breadth and volume",
        "LOW — review manually"
    )
    | where ScrapeRisk !startswith "LOW"
    | extend DetectionType = "Web_Directory_Scraping"
    | project TimeGenerated = FirstSeen, DetectionType, SourceIP, DestinationHostName,
              RequestCount, UniquePages, RequestsPerMinute, ScrapeRisk, UserAgentSample;
// Branch 2: OSINT harvesting tool execution on managed endpoints
let EndpointHarvesting =
    DeviceProcessEvents
    | where Timestamp > ago(1h)
    | where ProcessCommandLine has_any (HarvestingTools)
          or FileName has_any ("theHarvester", "crosslinked", "linkedin2username")
          or (FileName in~ ("python.exe", "python3", "python")
              and ProcessCommandLine has_any ("linkedin", "harvest", "employee", "osint") )
    | extend DetectionType = "Harvesting_Tool_Execution"
    | extend ScrapeRisk = "HIGH — known OSINT tool on managed endpoint"
    | project TimeGenerated = Timestamp, DetectionType, SourceIP = DeviceName,
              DestinationHostName = "", RequestCount = 1, UniquePages = 0,
              RequestsPerMinute = 0.0, ScrapeRisk,
              UserAgentSample = pack_array(ProcessCommandLine);
union WebScraping, EndpointHarvesting
| sort by TimeGenerated desc

medium severity low confidence

Data Sources

Network Traffic: Network Traffic Content Application Log: Application Log Content Process: Process Creation Microsoft Defender for Endpoint WAF / Proxy / Next-Generation Firewall (CommonSecurityLog)

Required Tables

CommonSecurityLog DeviceProcessEvents

False Positives

Search engine crawlers (Googlebot, Bingbot, AhrefsBot, Semrush) legitimately indexing public team and leadership pages at high rates
SEO audit tools (Screaming Frog, Sitebulb, DeepCrawl) run by the marketing team performing scheduled site health checks
Authorized penetration testers or red team operators conducting OSINT reconnaissance during an engagement — always verify active SOW coverage
HR and recruiting platforms (LinkedIn Talent Hub, Greenhouse, Lever) that scan competitor or partner employee directories for sourcing
Business intelligence and lead generation services (ZoomInfo, Lusha, Apollo.io) operating on behalf of sales teams with company-approved subscriptions

Splunk

spl

| multisearch
  [ search index=proxy sourcetype=squid OR sourcetype="cisco:wsa:squid" OR sourcetype="bluecoat:proxysg:access:syslog" OR sourcetype="zscaler:proxy"
    (url="*/team*" OR url="*/about-us*" OR url="*/about*" OR url="*/staff*" OR url="*/employees*"
     OR url="*/directory*" OR url="*/people*" OR url="*/our-team*" OR url="*/leadership*"
     OR url="*/management*" OR url="*/bios*" OR url="*/meet-the-team*" OR url="*/board*")
    | eval branch="proxy_scraping"
    | eval src=src_ip
    | eval dest=site
    | eval details=url ]
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (CommandLine="*theHarvester*" OR CommandLine="*recon-ng*" OR CommandLine="*CrossLinked*"
     OR CommandLine="*linkedin2username*" OR CommandLine="*phonebook.cz*" OR CommandLine="*spiderfoot*"
     OR Image="*theHarvester*" OR Image="*crosslinked*")
    | eval branch="endpoint_harvesting"
    | eval src=host
    | eval dest="local"
    | eval details=CommandLine ]
| eval EventTime=_time
| stats
    count as EventCount,
    dc(details) as UniqueTargets,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen,
    values(details) as DetailsSample,
    values(branch) as DetectionBranches
    by src, dest
| eval WindowSeconds=LastSeen-FirstSeen
| eval RequestsPerMin=if(WindowSeconds>0, EventCount/(WindowSeconds/60), EventCount)
| eval ScrapeRisk=case(
    match(DetectionBranches, "endpoint_harvesting"), "HIGH - known harvesting tool on managed endpoint",
    RequestsPerMin > 15, "HIGH - rapid automated scraping rate",
    EventCount > 60 AND UniqueTargets > 8, "MEDIUM - high volume directory enumeration",
    EventCount > 30, "MEDIUM - elevated directory page access",
    true(), "LOW"
  )
| where ScrapeRisk!="LOW"
| eval FirstSeenReadable=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S")
| eval LastSeenReadable=strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
| table FirstSeenReadable, LastSeenReadable, src, dest, EventCount, UniqueTargets, RequestsPerMin, ScrapeRisk, DetectionBranches, DetailsSample
| sort - EventCount

medium severity low confidence

Data Sources

Network Traffic: Network Traffic Content Process: Process Creation Web Proxy Logs (Squid, Cisco WSA, Blue Coat, Zscaler) Sysmon Event ID 1

Required Sourcetypes

squid cisco:wsa:squid bluecoat:proxysg:access:syslog zscaler:proxy XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Search engine crawlers (Googlebot, Bingbot, Semrush) legitimately indexing public corporate web pages at high rates
SEO and web audit tools operated by the organization's marketing team performing scheduled crawls
Authorized red team or penetration testers conducting OSINT reconnaissance — verify against active engagement schedule
HR sourcing platforms with approved integrations scanning competitor or partner company directories
Security researchers performing sanctioned threat intelligence work on organizational exposure

Elastic Security (EQL)

eql

/* Branch 1: OSINT harvesting tool execution on managed endpoints */
process where host.os.type == "windows" and
  (
    process.command_line like~ "*theHarvester*" or
    process.command_line like~ "*recon-ng*" or
    process.command_line like~ "*CrossLinked*" or
    process.command_line like~ "*linkedin2username*" or
    process.command_line like~ "*phonebook.cz*" or
    process.command_line like~ "*SpiderFoot*" or
    process.command_line like~ "*spiderfoot*" or
    process.command_line like~ "*maltego*" or
    process.name like~ "*theHarvester*" or
    process.name like~ "*crosslinked*" or
    process.name like~ "*linkedin2username*" or
    process.name like~ "*recon-ng*" or
    (
      process.name like~ "python*.exe" and
      (
        process.command_line like~ "*linkedin*" or
        process.command_line like~ "*harvest*" or
        process.command_line like~ "*employee*" or
        process.command_line like~ "*osint*"
      )
    )
  )

/* Branch 2: Web directory scraping — deploy as Kibana Threshold Rule against proxy index */
/* Threshold rule config: index=logs-*, group_by=[source.ip], threshold count > 25 over 60m */
/* Filter: event.dataset:("proxy" OR "squid" OR "zscaler_proxy" OR "cisco_wsa") */
/* AND url.path: ("*\/team*" OR "*\/about*" OR "*\/staff*" OR "*\/employees*" */
/*              OR "*\/directory*" OR "*\/people*" OR "*\/leadership*" */
/*              OR "*\/management*" OR "*\/bios*" OR "*\/board*") */

high severity high confidence

Data Sources

Elastic Endpoint Security (elastic-agent) Elastic Defend process telemetry Sysmon via Winlogbeat/Elastic Agent Proxy logs (Squid, Zscaler, Cisco WSA) via Filebeat or Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-*.events.process-* logs-*

False Positives

Authorized red team or penetration testing operators running theHarvester, recon-ng, or similar OSINT tools as part of a sanctioned engagement — cross-reference against change management or pentest schedule before escalating
Threat intelligence or brand monitoring teams using SpiderFoot or Maltego for external attack surface assessment against their own organization — validate against approved tooling registry
HR automation or talent acquisition platforms running Python scripts that interact with LinkedIn APIs for org chart sync or recruiter workflows — validate process parent chain and network destinations

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LastSeen,
  sourceip AS SourceIP,
  destinationip AS DestinationIP,
  COUNT(*) AS EventCount,
  UNIQUECOUNT(URL) AS UniqueDirectoryPages,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  CASE
    WHEN LOWER("Command") LIKE '%theharvester%'
      OR LOWER("Command") LIKE '%recon-ng%'
      OR LOWER("Command") LIKE '%crosslinked%'
      OR LOWER("Command") LIKE '%linkedin2username%'
      OR LOWER("Command") LIKE '%spiderfoot%'
      OR LOWER("Image") LIKE '%theharvester%'
      OR LOWER("Image") LIKE '%crosslinked%'
      THEN 'HIGH - OSINT harvesting tool on managed endpoint'
    WHEN COUNT(*) > 0
      AND (CAST(DATEDIFF('second', MIN(starttime), MAX(starttime)) AS FLOAT) > 0)
      AND (COUNT(*) / (DATEDIFF('second', MIN(starttime), MAX(starttime)) / 60.0)) > 15
      THEN 'HIGH - rapid automated scraping rate'
    WHEN COUNT(*) > 60 AND UNIQUECOUNT(URL) > 8
      THEN 'MEDIUM - high volume directory enumeration'
    WHEN COUNT(*) > 25
      THEN 'MEDIUM - elevated directory page access'
    ELSE 'LOW'
  END AS ScrapeRisk,
  QIDNAME(qid) AS EventName
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN (
    'Squid Web Proxy', 'Cisco Web Security Appliance (WSA)',
    'Blue Coat SG Proxy', 'Zscaler NSS', 'Microsoft IIS',
    'Microsoft Windows Security Event Log', 'Linux OS',
    'Universal DSM'
  )
  AND (
    URL LIKE '%/team%'
    OR URL LIKE '%/about-us%'
    OR URL LIKE '%/about%'
    OR URL LIKE '%/staff%'
    OR URL LIKE '%/employees%'
    OR URL LIKE '%/directory%'
    OR URL LIKE '%/people%'
    OR URL LIKE '%/our-team%'
    OR URL LIKE '%/leadership%'
    OR URL LIKE '%/management%'
    OR URL LIKE '%/bios%'
    OR URL LIKE '%/meet-the-team%'
    OR URL LIKE '%/board%'
    OR LOWER("Command") LIKE '%theharvester%'
    OR LOWER("Command") LIKE '%recon-ng%'
    OR LOWER("Command") LIKE '%crosslinked%'
    OR LOWER("Command") LIKE '%linkedin2username%'
    OR LOWER("Command") LIKE '%spiderfoot%'
    OR LOWER("Image") LIKE '%theharvester%'
    OR LOWER("Image") LIKE '%crosslinked%'
  )
  AND starttime > NOW() - 3600 SECONDS
GROUP BY
  sourceip, destinationip, devicetype, qid
HAVING
  ScrapeRisk <> 'LOW'
ORDER BY
  EventCount DESC

high severity medium confidence

Data Sources

Squid Web Proxy (QRadar DSM) Cisco Web Security Appliance — QRadar DSM Blue Coat ProxySG — QRadar DSM Zscaler NSS Feed Microsoft Windows Security Event Log (via WinCollect) Sysmon logs via Universal DSM

Required Tables

events

False Positives

Authorized penetration testers or red team operators running OSINT tools against corporate web properties during a sanctioned engagement — verify against active pentest SOW and schedule
Internal web health monitoring or uptime robots that regularly crawl public-facing pages including /about and /team for link integrity or content checks
HRtech platforms or CRM integrations performing automated employee directory lookups to sync organizational hierarchies, which may generate high-volume requests to directory paths

Sumo Logic CSE

sql

// ── Branch 1: Web directory scraping via proxy telemetry ──────────────────
(_sourceCategory=*proxy* OR _sourceCategory=*web_gateway* OR _sourceCategory=*zscaler*
 OR _sourceCategory=*bluecoat* OR _sourceCategory=*cisco_wsa* OR _sourceCategory=*squid*)
| parse regex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex "(?<url_path>(?:https?://[^/]+)?(?:/(?:team|about(?:-us)?|staff|employees|directory|people|our-team|leadership|management|bios|meet-the-team|board|partners)(?:[/?#]|$)[^\s"]*))"
    nodrop
| where !isNull(url_path)
| parse regex "(?<dest_host>(?:https?://)?([a-z0-9\-\.]+\.[a-z]{2,}))" nodrop
| timeslice 1m
| stats
    count as EventCount,
    dcount(url_path) as UniquePages,
    first(url_path) as URLSample
    by src_ip, dest_host, _timeslice
| where EventCount > 25
| eval RequestsPerMin = EventCount
| eval ScrapeRisk = if(RequestsPerMin > 15, "HIGH - rapid automated scraping",
    if(EventCount > 60 and UniquePages > 8, "MEDIUM - high volume enumeration",
    if(EventCount > 40, "MEDIUM - elevated directory access", "LOW")))
| where ScrapeRisk != "LOW"
| eval DetectionType = "Web_Directory_Scraping"
| fields _timeslice, DetectionType, src_ip, dest_host, EventCount, UniquePages, RequestsPerMin, ScrapeRisk, URLSample
| sort by EventCount desc

// ── Branch 2: OSINT tool execution on managed endpoints (run as separate saved search) ──
// (_sourceCategory=*sysmon* OR _sourceCategory=*winevent* OR _sourceCategory=*endpoint*)
// | where %EventID in ("1", "4688")
// | parse field=%CommandLine "*" as CommandLine nodrop
// | parse field=%Image "*" as Image nodrop
// | where CommandLine matches "*theHarvester*"
//     OR CommandLine matches "*recon-ng*"
//     OR CommandLine matches "*CrossLinked*"
//     OR CommandLine matches "*linkedin2username*"
//     OR CommandLine matches "*spiderfoot*"
//     OR Image matches "*theHarvester*"
//     OR Image matches "*crosslinked*"
// | eval ScrapeRisk = "HIGH - known OSINT tool on managed endpoint"
// | eval DetectionType = "Harvesting_Tool_Execution"
// | fields _messageTime, DetectionType, %Computer, CommandLine, Image, ScrapeRisk
// | sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector — proxy log source categories (Squid, Zscaler, Bluecoat, Cisco WSA) Sumo Logic Windows Agent — Sysmon Operational / Windows Security Event Log Sumo Logic Cloud-to-Cloud source for Zscaler or similar SaaS proxy

Required Tables

_sourceCategory=*proxy* _sourceCategory=*web_gateway* _sourceCategory=*sysmon* _sourceCategory=*winevent*

False Positives

Automated HR platform or CRM integrations that scrape internal or third-party employee directories for org chart population — these will produce high volumes of directory path hits from a consistent service account IP
Corporate SEO audit tools or web performance monitoring services that crawl all pages including /about and /team on a scheduled basis, generating burst traffic from monitoring infrastructure IPs
Internal IT asset inventory or intranet search indexers that recursively crawl company web properties and hit staff directory pages as part of site-wide indexing jobs

Google Chronicle / SecOps

yaral

// ── Rule 1: OSINT harvesting tool execution (deploy this rule) ──────────────
rule employee_name_harvesting_osint_tools_t1589_003 {
  meta:
    author          = "Argus Detection Engineering"
    description     = "Detects T1589.003: execution of known OSINT employee-harvesting tools on managed endpoints"
    mitre_tactic    = "TA0043"
    mitre_technique = "T1589.003"
    severity        = "HIGH"
    confidence      = "HIGH"
    version         = "1.0"
    created         = "2026-04-13"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($proc.target.process.command_line,
        `(?i)(theHarvester|recon\-ng|CrossLinked|linkedin2username|phonebook\.cz|SpiderFoot|spiderfoot|maltego)`)
      or re.regex($proc.target.process.file.full_path,
        `(?i)(theHarvester|crosslinked|linkedin2username|recon-ng)`)
      or (
        re.regex($proc.target.process.file.full_path, `(?i)python[23]?(\.exe)?$`)
        and re.regex($proc.target.process.command_line, `(?i)(linkedin|harvest|employee|osint)`)
      )
    )

  match:
    $proc.principal.hostname over 1h

  outcome:
    $event_count    = count_distinct($proc.metadata.id)
    $commands_run   = array($proc.target.process.command_line)
    $host           = array($proc.principal.hostname)
    $user           = array($proc.principal.user.userid)

  condition:
    #proc > 0
}

// ── Rule 2: Web directory scraping via HTTP telemetry (deploy separately) ────
rule employee_directory_scraping_t1589_003 {
  meta:
    author          = "Argus Detection Engineering"
    description     = "Detects T1589.003: automated scraping of corporate employee directory web pages via HTTP/proxy telemetry"
    mitre_tactic    = "TA0043"
    mitre_technique = "T1589.003"
    severity        = "MEDIUM"
    confidence      = "MEDIUM"
    version         = "1.0"
    created         = "2026-04-13"

  events:
    $web.metadata.event_type = "NETWORK_HTTP"
    re.regex($web.target.url,
      `(?i)\/(team|about-us|about|staff|employees|directory|people|our-team|leadership|management|bios|meet-the-team|board|partners)([\/?#]|$)`)
    $web.principal.ip != ""

  match:
    $web.principal.ip over 5m

  outcome:
    $request_count = count_distinct($web.metadata.id)
    $unique_pages  = count_distinct($web.target.url)
    $sample_urls   = array($web.target.url)
    $dest_host     = array($web.target.hostname)

  condition:
    #web > 25
}

high severity medium confidence

Data Sources

Chronicle UDM — PROCESS_LAUNCH events (Endpoint Detection via Chronicle Forwarder or CrowdStrike/Carbon Black feed) Chronicle UDM — NETWORK_HTTP events (proxy/NGFW logs via Chronicle Forwarder: Zscaler, Palo Alto, Bluecoat) Google Cloud Armor WAF logs forwarded to Chronicle

Required Tables

UDM PROCESS_LAUNCH UDM NETWORK_HTTP

False Positives

Authorized threat intelligence or security research analysts using theHarvester or Maltego on company-managed endpoints for sanctioned external attack surface mapping — validate against approved tooling registry and user context
Third-party marketing analytics or investor relations tools accessing company team/leadership pages at scale for content monitoring or PR tracking — identify by consistent service account or known vendor IP ranges
Corporate intranet crawlers or search indexers (e.g. SharePoint indexer, Elasticsearch site crawler) that recursively index public web properties and hit staff bios or leadership pages at elevated rates

CrowdStrike LogScale (CQL)

cql

// ── Branch 1: OSINT harvesting tool execution via Falcon EDR telemetry ────────
#event_simpleName = ProcessRollup2
| CommandLine = /(?i)(theHarvester|theharvester|recon\-ng|CrossLinked|crosslinked|linkedin2username|linkedin_username|phonebook\.cz|SpiderFoot|spiderfoot|maltego)/
  OR FileName = /(?i)(theHarvester|crosslinked|linkedin2username|recon-ng)/
  OR (
    FileName = /(?i)python[23]?(\.exe)?$/
    AND CommandLine = /(?i)(linkedin|harvest|employee|osint)/
  )
| groupBy(
    [ComputerName, UserName, FileName, CommandLine],
    function=[
      count(aid, as=EventCount),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| eval ScrapeRisk = "HIGH - known OSINT tool on Falcon-managed endpoint"
| eval DetectionType = "Harvesting_Tool_Execution"
| sort(EventCount, order=desc)
| select([FirstSeen, LastSeen, DetectionType, ComputerName, UserName, FileName, CommandLine, EventCount, ScrapeRisk])

// ── Branch 2: DNS lookups to known OSINT/people-search platforms (deploy separately) ─
// #event_simpleName = DnsRequest
// | DomainName = /(?i)(hunter\.io|phonebook\.cz|rocketreach\.co|clearbit\.com|snov\.io|voilanorbert\.com|emailhunter\.co|findthat\.email|skrapp\.io|anymail\.io)/
// | groupBy(
//     [ComputerName, UserName, DomainName],
//     function=[
//       count(ContextTimeStamp, as=QueryCount),
//       min(@timestamp, as=FirstSeen),
//       max(@timestamp, as=LastSeen)
//     ]
//   )
// | where QueryCount > 10
// | eval ScrapeRisk = "MEDIUM - repeated OSINT platform DNS queries from managed endpoint"
// | eval DetectionType = "OSINT_Platform_DNS_Enumeration"
// | sort(QueryCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Insight EDR — ProcessRollup2 event stream CrowdStrike Falcon Insight EDR — DnsRequest event stream CrowdStrike Falcon XDR unified telemetry

Required Tables

ProcessRollup2 DnsRequest

False Positives

Authorized penetration testers or red team operators using Falcon-managed workstations to execute theHarvester or recon-ng as part of a sanctioned engagement — validate against active engagement documentation and expected source hosts
Security operations or threat intelligence analysts running SpiderFoot or Maltego for external attack surface assessment or vendor risk review on approved corporate endpoints — validate against security tooling allowlist
Software developers testing or packaging OSINT tools in development environments where the Falcon sensor is deployed — the Python + 'linkedin'/'harvest' command-line branch may fire on legitimate CI/CD or testing workflows

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1589.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Employee Names

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections