T1591

Gather Victim Org Information

Reconnaissance Last updated:

This detection identifies adversary attempts to gather organizational information about the victim, including employee roles, departmental structure, business operations, and key personnel. Because T1591 is a PRE-ATT&CK technique primarily executed outside the defender's network, direct endpoint telemetry is limited. Detection pivots to observable side-effects: Azure AD and Microsoft Graph API enumeration of users, groups, and org hierarchy; inbound phishing-for-information email patterns; unusual bulk access to internal directories or SharePoint org charts; and outbound access to known OSINT/data-broker platforms (LinkedIn, ZoomInfo, Hunter.io) at volume. These signals correlate with early-stage targeting by threat actors such as APT28, Kimsuky, Lazarus Group, and FIN7, who conduct org reconnaissance prior to tailored spearphishing campaigns.

What is T1591 Gather Victim Org Information?

Gather Victim Org Information (T1591) maps to the Reconnaissance tactic — the adversary is trying to gather information they can use to plan future operations in MITRE ATT&CK.

This page provides production-ready detection logic for Gather Victim Org Information, covering the data sources and telemetry it touches: Azure Active Directory, Microsoft Entra ID. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1591 Gather Victim Org Information
Canonical reference
https://attack.mitre.org/techniques/T1591/
Microsoft Sentinel / Defender
kusto 
// T1591 — Gather Victim Org Information
// Detect bulk Azure AD / MS Graph enumeration of org structure (users, groups, roles, org details)
// This pattern indicates an authenticated attacker or compromised account mapping the org before deeper targeting
let LookbackWindow = 1h;
let EnumThreshold = 30;
let DistinctOpThreshold = 3;
AuditLogs
| where TimeGenerated >= ago(LookbackWindow)
| where OperationName in (
    "Get users",
    "List users",
    "Get groups",
    "List groups",
    "Get members",
    "Get organization",
    "Get directoryRoles",
    "List directoryRoleMembers",
    "Get contacts",
    "List contacts",
    "Get administrativeUnits",
    "List administrativeUnits"
  )
| where Result == "success"
| extend InitiatorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatorIP = tostring(InitiatedBy.user.ipAddress)
| extend AppDisplayName = tostring(InitiatedBy.app.displayName)
| where isnotempty(InitiatorUPN) or isnotempty(AppDisplayName)
| summarize
    OperationCount = count(),
    DistinctOperations = dcount(OperationName),
    Operations = make_set(OperationName),
    DistinctTargets = dcount(tostring(TargetResources)),
    EarliestEvent = min(TimeGenerated),
    LatestEvent = max(TimeGenerated)
    by InitiatorUPN, InitiatorIP, AppDisplayName, bin(TimeGenerated, LookbackWindow)
| where OperationCount >= EnumThreshold or DistinctOperations >= DistinctOpThreshold
| extend RiskScore = case(
    OperationCount >= 100 and DistinctOperations >= 5, "High",
    OperationCount >= 50 or DistinctOperations >= 4, "Medium",
    "Low"
  )
| project
    TimeGenerated,
    InitiatorUPN,
    InitiatorIP,
    AppDisplayName,
    OperationCount,
    DistinctOperations,
    DistinctTargets,
    Operations,
    RiskScore,
    EarliestEvent,
    LatestEvent
| order by OperationCount desc

Detects bulk enumeration of Azure Active Directory organizational structure via Audit Logs. Adversaries with compromised credentials or OAuth tokens enumerate users, groups, roles, and administrative units to map the target organization before launching tailored spearphishing or lateral movement. Alerts fire when a single initiator performs 30+ org-enumeration operations or 3+ distinct operation types within a 1-hour window.

high severity medium confidence

Data Sources

Azure Active Directory Microsoft Entra ID

Required Tables

AuditLogs

False Positives

  • IT automation scripts running bulk user provisioning or deprovisioning workflows
  • HR system sync tools (Workday, BambooHR) performing scheduled directory synchronization
  • Security tools such as Microsoft Entra ID Governance performing access reviews
  • PowerShell scripts run by directory administrators for legitimate reporting

Sigma rule & cross-platform mapping

The detection logic for Gather Victim Org Information (T1591) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1591 Sigma rules on detection.fyi

Platform-specific guides for T1591

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-03-20 Research depth: deep
References (10)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Azure AD Bulk User Enumeration via Microsoft Graph PowerShell

    Expected signal: Azure AD AuditLogs: multiple entries for 'Get users', 'List users', 'Get groups', 'List groups', 'Get directoryRoles' with InitiatedBy set to the test account UPN. Volume should exceed the 30-operation threshold within minutes.

  2. Test 2OSINT Tool Execution — theHarvester Org Reconnaissance

    Expected signal: Outbound HTTP/HTTPS connections to linkedin.com, google.com, bing.com with tool user-agent strings from the attacking host. DNS queries for target domain variations. Proxy logs showing linkedin.com/in/ path access at volume.

  3. Test 3Social Engineering Email — Org Structure Elicitation (Phishing for Information)

    Expected signal: EmailEvents entry with SenderFromDomain=atomictest.invalid, Subject containing 'org chart' and 'reporting structure', DeliveryAction=Delivered. Microsoft Defender for Office 365 may flag based on sender reputation.

Unlock Pro Content

Get the full detection package for T1591 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hub

TA0043Reconnaissance

Sub-techniques (4)

Related Techniques

T1598Phishing for InformationT1593Search Open Websites/DomainsT1594Search Victim-Owned WebsitesT1592Gather Victim Host InformationT1590Gather Victim Network InformationT1566PhishingT1199Trusted RelationshipT1585Establish Accounts

Same Tactic: Reconnaissance

Popular Detections