Gather Victim Org Information
This detection identifies adversary attempts to gather organizational information about the victim, including employee roles, departmental structure, business operations, and key personnel. Because T1591 is a PRE-ATT&CK technique primarily executed outside the defender's network, direct endpoint telemetry is limited. Detection pivots to observable side-effects: Azure AD and Microsoft Graph API enumeration of users, groups, and org hierarchy; inbound phishing-for-information email patterns; unusual bulk access to internal directories or SharePoint org charts; and outbound access to known OSINT/data-broker platforms (LinkedIn, ZoomInfo, Hunter.io) at volume. These signals correlate with early-stage targeting by threat actors such as APT28, Kimsuky, Lazarus Group, and FIN7, who conduct org reconnaissance prior to tailored spearphishing campaigns.
// T1591 — Gather Victim Org Information
// Detect bulk Azure AD / MS Graph enumeration of org structure (users, groups, roles, org details)
// This pattern indicates an authenticated attacker or compromised account mapping the org before deeper targeting
let LookbackWindow = 1h;
let EnumThreshold = 30;
let DistinctOpThreshold = 3;
AuditLogs
| where TimeGenerated >= ago(LookbackWindow)
| where OperationName in (
"Get users",
"List users",
"Get groups",
"List groups",
"Get members",
"Get organization",
"Get directoryRoles",
"List directoryRoleMembers",
"Get contacts",
"List contacts",
"Get administrativeUnits",
"List administrativeUnits"
)
| where Result == "success"
| extend InitiatorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatorIP = tostring(InitiatedBy.user.ipAddress)
| extend AppDisplayName = tostring(InitiatedBy.app.displayName)
| where isnotempty(InitiatorUPN) or isnotempty(AppDisplayName)
| summarize
OperationCount = count(),
DistinctOperations = dcount(OperationName),
Operations = make_set(OperationName),
DistinctTargets = dcount(tostring(TargetResources)),
EarliestEvent = min(TimeGenerated),
LatestEvent = max(TimeGenerated)
by InitiatorUPN, InitiatorIP, AppDisplayName, bin(TimeGenerated, LookbackWindow)
| where OperationCount >= EnumThreshold or DistinctOperations >= DistinctOpThreshold
| extend RiskScore = case(
OperationCount >= 100 and DistinctOperations >= 5, "High",
OperationCount >= 50 or DistinctOperations >= 4, "Medium",
"Low"
)
| project
TimeGenerated,
InitiatorUPN,
InitiatorIP,
AppDisplayName,
OperationCount,
DistinctOperations,
DistinctTargets,
Operations,
RiskScore,
EarliestEvent,
LatestEvent
| order by OperationCount descData Sources
Required Tables
False Positives
- IT automation scripts running bulk user provisioning or deprovisioning workflows
- HR system sync tools (Workday, BambooHR) performing scheduled directory synchronization
- Security tools such as Microsoft Entra ID Governance performing access reviews
- PowerShell scripts run by directory administrators for legitimate reporting
References (10)
- https://attack.mitre.org/techniques/T1591/
- https://attack.mitre.org/techniques/T1591/001/
- https://attack.mitre.org/techniques/T1591/002/
- https://attack.mitre.org/techniques/T1591/003/
- https://attack.mitre.org/techniques/T1591/004/
- https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
- https://learn.microsoft.com/en-us/graph/permissions-reference
- https://www.cisa.gov/sites/default/files/2023-01/aa23-025a_joint_csa_understanding_and_mitigating_russian_state-sponsored_cyber_threats_to_us_critical_infrastructure_1.pdf
- https://threatpost.com/broadvoice-leaks-350m-records-exposes-voip-company-client-data/160158/
Unlock Pro Content
Get the full detection package for T1591 including response playbook, investigation guide, and atomic red team tests.