T1589.003 Microsoft Sentinel · KQL

Detect Employee Names in Microsoft Sentinel

Adversaries may gather employee names that can be used during targeting. Employee names can be used to derive email addresses as well as to help guide other reconnaissance efforts and craft more-believable lures. Adversaries may easily gather employee names since they may be readily available and exposed via online or other accessible data sets such as social media, LinkedIn, corporate websites, and press releases. Real-world threat actors including Kimsuky, Sandworm Team, and Silent Librarian have been observed collecting victim employee name information to support subsequent phishing campaigns, credential attacks, and social engineering operations. Detection is inherently challenging because this activity primarily occurs outside the victim's environment on public platforms. Effective detection pivots to monitoring organization-owned web properties for automated scraping, tracking OSINT tool execution on monitored endpoints, and identifying downstream artifacts such as systematic user enumeration via authentication systems.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1589 Gather Victim Identity Information
Sub-technique
T1589.003 Employee Names
Canonical reference
https://attack.mitre.org/techniques/T1589/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Employee Name Harvesting — Corporate Web Directory Scraping Detection
// Detects high-rate automated access to employee/team listing pages via WAF and proxy telemetry
// Also surfaces OSINT harvesting tool execution on monitored endpoints
let DirectoryPaths = dynamic([
    "/team", "/about", "/about-us", "/staff", "/employees", "/directory",
    "/people", "/our-team", "/leadership", "/management", "/company/team",
    "/meet-the-team", "/who-we-are", "/bios", "/partners", "/board"
]);
let HarvestingTools = dynamic([
    "theHarvester", "theharvester", "recon-ng", "CrossLinked", "crosslinked",
    "linkedin2username", "linkedin_username", "phonebook.cz", "hunter.io",
    "osintframework", "maltego", "SpiderFoot", "spiderfoot"
]);
// Branch 1: Automated scraping of corporate employee directory pages
let WebScraping =
    CommonSecurityLog
    | where TimeGenerated > ago(1h)
    | where RequestURL has_any (DirectoryPaths)
    | where isnotempty(SourceIP)
    | summarize
        RequestCount = count(),
        UniquePages = dcount(RequestURL),
        UniqueUserAgents = dcount(RequestClientApplication),
        UserAgentSample = make_set(RequestClientApplication, 3),
        FirstSeen = min(TimeGenerated),
        LastSeen = max(TimeGenerated)
        by SourceIP, DestinationHostName
    | extend ElapsedSeconds = datetime_diff('second', LastSeen, FirstSeen)
    | extend RequestsPerMinute = iff(ElapsedSeconds > 0, toreal(RequestCount) / toreal(ElapsedSeconds) * 60.0, 0.0)
    | where RequestCount > 25 or RequestsPerMinute > 5.0
    | extend ScrapeRisk = case(
        UniqueUserAgents == 1 and RequestCount > 60, "HIGH — uniform UA, high volume",
        RequestsPerMinute > 15.0, "HIGH — rapid sequential requests",
        RequestCount > 40 and UniquePages > 8, "MEDIUM — breadth and volume",
        "LOW — review manually"
    )
    | where ScrapeRisk !startswith "LOW"
    | extend DetectionType = "Web_Directory_Scraping"
    | project TimeGenerated = FirstSeen, DetectionType, SourceIP, DestinationHostName,
              RequestCount, UniquePages, RequestsPerMinute, ScrapeRisk, UserAgentSample;
// Branch 2: OSINT harvesting tool execution on managed endpoints
let EndpointHarvesting =
    DeviceProcessEvents
    | where Timestamp > ago(1h)
    | where ProcessCommandLine has_any (HarvestingTools)
          or FileName has_any ("theHarvester", "crosslinked", "linkedin2username")
          or (FileName in~ ("python.exe", "python3", "python")
              and ProcessCommandLine has_any ("linkedin", "harvest", "employee", "osint") )
    | extend DetectionType = "Harvesting_Tool_Execution"
    | extend ScrapeRisk = "HIGH — known OSINT tool on managed endpoint"
    | project TimeGenerated = Timestamp, DetectionType, SourceIP = DeviceName,
              DestinationHostName = "", RequestCount = 1, UniquePages = 0,
              RequestsPerMinute = 0.0, ScrapeRisk,
              UserAgentSample = pack_array(ProcessCommandLine);
union WebScraping, EndpointHarvesting
| sort by TimeGenerated desc
medium severity low confidence

Dual-branch detection targeting the two most observable surfaces for T1589.003 Employee Name harvesting. Branch 1 analyzes CommonSecurityLog telemetry from WAF/proxy devices to identify automated high-rate access to corporate employee directory pages (team, leadership, staff, bios, etc.) from single external source IPs. It calculates requests-per-minute and evaluates scrape risk based on request volume, page breadth, and user agent uniformity. Branch 2 monitors DeviceProcessEvents for known OSINT and harvesting tool execution (theHarvester, recon-ng, CrossLinked, linkedin2username, etc.) on managed endpoints, which may indicate insider threat or a compromised workstation performing reconnaissance. Results are unioned and sorted by time. This technique is inherently low-detectability since the adversary's primary activity occurs on public external platforms; these signals represent the observable subset of adversary actions.

Data Sources

Network Traffic: Network Traffic ContentApplication Log: Application Log ContentProcess: Process CreationMicrosoft Defender for EndpointWAF / Proxy / Next-Generation Firewall (CommonSecurityLog)

Required Tables

CommonSecurityLogDeviceProcessEvents

False Positives & Tuning

  • Search engine crawlers (Googlebot, Bingbot, AhrefsBot, Semrush) legitimately indexing public team and leadership pages at high rates
  • SEO audit tools (Screaming Frog, Sitebulb, DeepCrawl) run by the marketing team performing scheduled site health checks
  • Authorized penetration testers or red team operators conducting OSINT reconnaissance during an engagement — always verify active SOW coverage
  • HR and recruiting platforms (LinkedIn Talent Hub, Greenhouse, Lever) that scan competitor or partner employee directories for sourcing
  • Business intelligence and lead generation services (ZoomInfo, Lusha, Apollo.io) operating on behalf of sales teams with company-approved subscriptions
Download portable Sigma rule (.yml)

Other platforms for T1589.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1theHarvester Employee Name and Email Enumeration

    Expected signal: Sysmon Event ID 1 (Linux auditd equivalent): process creation for 'theHarvester' or 'python3' with command line arguments '-d example.com -b google'. Sysmon Event ID 3 / auditd SYSCALL: outbound network connections to Google APIs and search endpoints. Sysmon Event ID 11: creation of /tmp/harvest_output.json. On Windows endpoints: DeviceProcessEvents with FileName=python.exe and ProcessCommandLine containing 'theHarvester' and '-b google'.

  2. Test 2CrossLinked LinkedIn Employee Name to Email Permutation

    Expected signal: Sysmon Event ID 1: process create for python3 with CommandLine containing 'CrossLinked' or 'crosslinked' and '-f' and '{first}.{last}'. Sysmon Event ID 3: outbound DNS and TCP connections to linkedin.com and www.linkedin.com on port 443. Sysmon Event ID 11: file creation at /tmp/crosslinked_names.txt. DeviceProcessEvents (MDE): ProcessCommandLine containing 'crosslinked' or '{first}.{last}'.

  3. Test 3Corporate Team Page Automated Scraping Simulation

    Expected signal: Sysmon Event ID 3 (Network Connect): repeated outbound connections to httpbin.org:443. Process creation for curl. In a real environment targeting a corporate web property: WAF/proxy logs showing 30+ requests to /team, /about-us, /staff URLs from the same source IP within 60 seconds with User-Agent 'Python-urllib/3.9'. CommonSecurityLog entries with RequestURL matching directory patterns.

  4. Test 4recon-ng LinkedIn Contacts Module Employee Enumeration

    Expected signal: Sysmon Event ID 1: process create for recon-ng binary or python3 with recon-ng in command path. Sysmon Event ID 11: file creation in ~/.recon-ng/workspaces/employee_hunt/ including SQLite database data.db. Sysmon Event ID 3: outbound connections to linkedin.com, api.linkedin.com on port 443. DeviceProcessEvents: FileName containing 'recon-ng' or ProcessCommandLine containing 'recon-ng'.

  5. Test 5Hunter.io API Employee Name and Email Harvesting

    Expected signal: Sysmon Event ID 3: outbound DNS query for api.hunter.io and TCP connection to api.hunter.io:443. Process creation for curl or python3 with api.hunter.io in command line arguments. In proxy/web access logs: GET requests to api.hunter.io/v2/domain-search with domain parameter. If monitoring DNS (Sysmon Event ID 22): DNS query for api.hunter.io.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1589.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1589Gather Victim Identity Information

Related Sub-techniques

T1589.001CredentialsT1589.002Email Addresses

Related Techniques

T1589Gather Victim Identity InformationT1589.001CredentialsT1589.002Email AddressesT1593.001Social MediaT1594Search Victim-Owned WebsitesT1598Phishing for InformationT1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1078Valid AccountsT1110.003Password SprayingT1586.002Email Accounts

Same Tactic: Reconnaissance

Popular Detections