T1591.002 IBM QRadar · QRadar

Detect Business Relationships in IBM QRadar

Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization's business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim's hardware and software resources. Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Supply Chain Compromise, Drive-by Compromise, or Trusted Relationship). Real-world actors including Dragonfly, LAPSUS$, and Sandworm Team have used this technique to map organizational supply chains and partner relationships as precursors to targeted attacks.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1591 Gather Victim Org Information
Sub-technique
T1591.002 Business Relationships
Canonical reference
https://attack.mitre.org/techniques/T1591/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "Image" AS ProcessImage, "CommandLine",
  CASE
    WHEN "Image" ILIKE '%nmap%' OR "Image" ILIKE '%masscan%' THEN 80
    WHEN "Image" ILIKE '%shodan%' OR "Image" ILIKE '%theharvester%' THEN 75
    WHEN "Image" ILIKE '%recon-ng%' OR "Image" ILIKE '%maltego%' THEN 70
    WHEN "CommandLine" ILIKE '%whois%' OR "CommandLine" ILIKE '%dnsenum%' THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Image" ILIKE '%nmap%' THEN 'Network Scanner'
    WHEN "Image" ILIKE '%theharvester%' THEN 'OSINT Harvester'
    WHEN "Image" ILIKE '%maltego%' THEN 'Link Analysis Tool'
    ELSE 'Reconnaissance Tool'
  END AS ToolCategory
FROM events
WHERE eventid = 1
  AND (
    "Image" ILIKE '%nmap%' OR "Image" ILIKE '%masscan%' OR "Image" ILIKE '%nikto%'
    OR "Image" ILIKE '%shodan%' OR "Image" ILIKE '%theharvester%' OR "Image" ILIKE '%recon-ng%'
    OR "Image" ILIKE '%maltego%' OR "Image" ILIKE '%spiderfoot%' OR "CommandLine" ILIKE '%dnsenum%'
    OR "CommandLine" ILIKE '%whois %' OR "CommandLine" ILIKE '%-sV %'
  )
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS
medium severity low confidence

QRadar AQL detection for Business Relationships. Detects business relationship reconnaissance via two branches. Branch 1 identifies OSINT tools known to harvest organizational relationship data (theHarvester, Recon-ng, SpiderFoot, Maltego, CrossLink

Data Sources

Sysmon Event ID 1DNS logsNetwork flow data

Required Tables

events

False Positives & Tuning

  • Security awareness teams conducting authorized employee exposure research
  • Authorized red team OSINT assessments
  • HR or marketing teams performing competitive intelligence research
  • Recruiters using professional networks for talent research
Download portable Sigma rule (.yml)

Other platforms for T1591.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1theHarvester Business Relationship Enumeration

    Expected signal: Sysmon Event ID 1 (if Sysmon deployed on Linux): Process Create with CommandLine containing 'theHarvester' and 'example.com'. DNS queries (Sysmon Event ID 22 or auditd) to dnsdumpster.com and crt.sh. Network connection events to OSINT API endpoints. File creation events for output files at /tmp/harvester_output_test.xml and .json.

  2. Test 2Recon-ng Partner Domain Enumeration via Whois Contacts

    Expected signal: Process creation event for recon-ng binary with workspace and command arguments. Network connections to ARIN/RIPE WHOIS servers (port 43) and RDAP APIs. File creation events in ~/.recon-ng/workspaces/test_workspace/ including a SQLite database containing harvested contacts and relationships.

  3. Test 3CrossLinked LinkedIn Organizational Enumeration

    Expected signal: Process creation for python3 with crosslinked in CommandLine. DNS queries to google.com and bing.com for dorked search queries. Network connections to Google/Bing search endpoints. File creation event for /tmp/crosslinked_test.csv containing harvested names formatted as email addresses.

  4. Test 4Simulated Partner Page Scraping via curl Loop

    Expected signal: Network connection events from curl to 127.0.0.1:80 for each URL path. Process creation events for curl with -s and URL arguments. Web server access logs (if running locally) showing all partner-path requests from 127.0.0.1 within a 1.2-second window.

  5. Test 5SpiderFoot OSINT Scan for Organizational Footprint

    Expected signal: Process creation for python3 with spiderfoot in CommandLine and example.com as the target. DNS queries to WHOIS servers, certificate transparency logs (crt.sh, censys.io). File creation events for /tmp/spiderfoot_test.csv and ~/spiderfoot.db (SQLite database). Network connections to passive OSINT data sources. SpiderFoot will enumerate affiliate domains and partner infrastructure associated with example.com.

Last updated: 2026-03-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1591.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1591Gather Victim Org Information

Related Sub-techniques

T1591.001Determine Physical LocationsT1591.003Identify Business TempoT1591.004Identify Roles

Related Techniques

T1591Gather Victim Org InformationT1591.001Determine Physical LocationsT1591.003Identify Business TempoT1591.004Identify RolesT1593.001Social MediaT1594Search Victim-Owned WebsitesT1598Phishing for InformationT1598.003Spearphishing LinkT1195Supply Chain CompromiseT1199Trusted RelationshipT1589.002Email AddressesT1590.001Domain Properties

Same Tactic: Reconnaissance

Popular Detections