Detect Employee Names in IBM QRadar
Adversaries may gather employee names that can be used during targeting. Employee names can be used to derive email addresses as well as to help guide other reconnaissance efforts and craft more-believable lures. Adversaries may easily gather employee names since they may be readily available and exposed via online or other accessible data sets such as social media, LinkedIn, corporate websites, and press releases. Real-world threat actors including Kimsuky, Sandworm Team, and Silent Librarian have been observed collecting victim employee name information to support subsequent phishing campaigns, credential attacks, and social engineering operations. Detection is inherently challenging because this activity primarily occurs outside the victim's environment on public platforms. Effective detection pivots to monitoring organization-owned web properties for automated scraping, tracking OSINT tool execution on monitored endpoints, and identifying downstream artifacts such as systematic user enumeration via authentication systems.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1589 Gather Victim Identity Information
- Sub-technique
- T1589.003 Employee Names
- Canonical reference
- https://attack.mitre.org/techniques/T1589/003/
QRadar Detection Query
SELECT
DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LastSeen,
sourceip AS SourceIP,
destinationip AS DestinationIP,
COUNT(*) AS EventCount,
UNIQUECOUNT(URL) AS UniqueDirectoryPages,
LOGSOURCETYPENAME(devicetype) AS LogSourceType,
CASE
WHEN LOWER("Command") LIKE '%theharvester%'
OR LOWER("Command") LIKE '%recon-ng%'
OR LOWER("Command") LIKE '%crosslinked%'
OR LOWER("Command") LIKE '%linkedin2username%'
OR LOWER("Command") LIKE '%spiderfoot%'
OR LOWER("Image") LIKE '%theharvester%'
OR LOWER("Image") LIKE '%crosslinked%'
THEN 'HIGH - OSINT harvesting tool on managed endpoint'
WHEN COUNT(*) > 0
AND (CAST(DATEDIFF('second', MIN(starttime), MAX(starttime)) AS FLOAT) > 0)
AND (COUNT(*) / (DATEDIFF('second', MIN(starttime), MAX(starttime)) / 60.0)) > 15
THEN 'HIGH - rapid automated scraping rate'
WHEN COUNT(*) > 60 AND UNIQUECOUNT(URL) > 8
THEN 'MEDIUM - high volume directory enumeration'
WHEN COUNT(*) > 25
THEN 'MEDIUM - elevated directory page access'
ELSE 'LOW'
END AS ScrapeRisk,
QIDNAME(qid) AS EventName
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN (
'Squid Web Proxy', 'Cisco Web Security Appliance (WSA)',
'Blue Coat SG Proxy', 'Zscaler NSS', 'Microsoft IIS',
'Microsoft Windows Security Event Log', 'Linux OS',
'Universal DSM'
)
AND (
URL LIKE '%/team%'
OR URL LIKE '%/about-us%'
OR URL LIKE '%/about%'
OR URL LIKE '%/staff%'
OR URL LIKE '%/employees%'
OR URL LIKE '%/directory%'
OR URL LIKE '%/people%'
OR URL LIKE '%/our-team%'
OR URL LIKE '%/leadership%'
OR URL LIKE '%/management%'
OR URL LIKE '%/bios%'
OR URL LIKE '%/meet-the-team%'
OR URL LIKE '%/board%'
OR LOWER("Command") LIKE '%theharvester%'
OR LOWER("Command") LIKE '%recon-ng%'
OR LOWER("Command") LIKE '%crosslinked%'
OR LOWER("Command") LIKE '%linkedin2username%'
OR LOWER("Command") LIKE '%spiderfoot%'
OR LOWER("Image") LIKE '%theharvester%'
OR LOWER("Image") LIKE '%crosslinked%'
)
AND starttime > NOW() - 3600 SECONDS
GROUP BY
sourceip, destinationip, devicetype, qid
HAVING
ScrapeRisk <> 'LOW'
ORDER BY
EventCount DESCQRadar AQL rule detecting employee name harvesting (T1589.003) across proxy and endpoint log sources. Branch 1 aggregates web proxy events (Squid, Cisco WSA, Bluecoat, Zscaler) matching corporate employee directory URL patterns (/team, /about, /staff, etc.) and applies volume and rate-based risk tiering. Branch 2 matches endpoint log source events containing OSINT tool command-line patterns (theHarvester, recon-ng, CrossLinked, linkedin2username, SpiderFoot) from Windows Security or Sysmon-derived data. Results are grouped by source and destination IP, filtered to non-LOW risk tiers, and sorted by event volume for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Authorized penetration testers or red team operators running OSINT tools against corporate web properties during a sanctioned engagement — verify against active pentest SOW and schedule
- Internal web health monitoring or uptime robots that regularly crawl public-facing pages including /about and /team for link integrity or content checks
- HRtech platforms or CRM integrations performing automated employee directory lookups to sync organizational hierarchies, which may generate high-volume requests to directory paths
Other platforms for T1589.003
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1theHarvester Employee Name and Email Enumeration
Expected signal: Sysmon Event ID 1 (Linux auditd equivalent): process creation for 'theHarvester' or 'python3' with command line arguments '-d example.com -b google'. Sysmon Event ID 3 / auditd SYSCALL: outbound network connections to Google APIs and search endpoints. Sysmon Event ID 11: creation of /tmp/harvest_output.json. On Windows endpoints: DeviceProcessEvents with FileName=python.exe and ProcessCommandLine containing 'theHarvester' and '-b google'.
- Test 2CrossLinked LinkedIn Employee Name to Email Permutation
Expected signal: Sysmon Event ID 1: process create for python3 with CommandLine containing 'CrossLinked' or 'crosslinked' and '-f' and '{first}.{last}'. Sysmon Event ID 3: outbound DNS and TCP connections to linkedin.com and www.linkedin.com on port 443. Sysmon Event ID 11: file creation at /tmp/crosslinked_names.txt. DeviceProcessEvents (MDE): ProcessCommandLine containing 'crosslinked' or '{first}.{last}'.
- Test 3Corporate Team Page Automated Scraping Simulation
Expected signal: Sysmon Event ID 3 (Network Connect): repeated outbound connections to httpbin.org:443. Process creation for curl. In a real environment targeting a corporate web property: WAF/proxy logs showing 30+ requests to /team, /about-us, /staff URLs from the same source IP within 60 seconds with User-Agent 'Python-urllib/3.9'. CommonSecurityLog entries with RequestURL matching directory patterns.
- Test 4recon-ng LinkedIn Contacts Module Employee Enumeration
Expected signal: Sysmon Event ID 1: process create for recon-ng binary or python3 with recon-ng in command path. Sysmon Event ID 11: file creation in ~/.recon-ng/workspaces/employee_hunt/ including SQLite database data.db. Sysmon Event ID 3: outbound connections to linkedin.com, api.linkedin.com on port 443. DeviceProcessEvents: FileName containing 'recon-ng' or ProcessCommandLine containing 'recon-ng'.
- Test 5Hunter.io API Employee Name and Email Harvesting
Expected signal: Sysmon Event ID 3: outbound DNS query for api.hunter.io and TCP connection to api.hunter.io:443. Process creation for curl or python3 with api.hunter.io in command line arguments. In proxy/web access logs: GET requests to api.hunter.io/v2/domain-search with domain parameter. If monitoring DNS (Sysmon Event ID 22): DNS query for api.hunter.io.
References (10)
- https://attack.mitre.org/techniques/T1589/003/
- https://www.opm.gov/cybersecurity/cybersecurity-incidents/
- https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary
- https://www.cisa.gov/sites/default/files/publications/AA20-296A-Kimsuky_0.pdf
- https://github.com/laramies/theHarvester
- https://github.com/m8sec/CrossLinked
- https://github.com/lanmaster53/recon-ng
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
- https://hunter.io/api-documentation/v2
- https://www.mandiant.com/resources/blog/apt29-domain-fronting-with-tor
Unlock Pro Content
Get the full detection package for T1589.003 including response playbook, investigation guide, and atomic red team tests.