T1591.002 Microsoft Sentinel · KQL

Detect Business Relationships in Microsoft Sentinel

Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization's business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim's hardware and software resources. Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Supply Chain Compromise, Drive-by Compromise, or Trusted Relationship). Real-world actors including Dragonfly, LAPSUS$, and Sandworm Team have used this technique to map organizational supply chains and partner relationships as precursors to targeted attacks.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1591 Gather Victim Org Information
Sub-technique
T1591.002 Business Relationships
Canonical reference
https://attack.mitre.org/techniques/T1591/002/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1591.002 — Business Relationships Reconnaissance Detection
// Branch 1: OSINT tools executing on managed endpoints that harvest business relationship data
let OSINTToolNames = dynamic([
    "theharvester", "recon-ng", "spiderfoot", "maltego", "dmitry",
    "datasploit", "linkedint", "crosslinked", "linkedin2username",
    "osrframework", "metagoofil", "foca", "inspy"
]);
let OSINTToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (OSINTToolNames)
    or ProcessCommandLine has_any (OSINTToolNames)
    or (FileName in~ ("python.exe", "python3", "python3.exe")
        and ProcessCommandLine has_any ("theharvester", "recon-ng", "spiderfoot", "crosslinked", "linkedin2username", "inspy"))
    or (FileName =~ "java.exe" and ProcessCommandLine has "maltego")
| extend DetectionBranch = "OSINT_Tool_Execution"
| extend ToolIdentified = case(
    ProcessCommandLine has "theharvester", "theHarvester",
    ProcessCommandLine has "recon-ng", "Recon-ng",
    ProcessCommandLine has "spiderfoot", "SpiderFoot",
    ProcessCommandLine has "maltego", "Maltego",
    ProcessCommandLine has "crosslinked", "CrossLinked",
    ProcessCommandLine has "linkedin2username", "linkedin2username",
    ProcessCommandLine has "inspy", "InSpy",
    FileName, FileName
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionBranch, ToolIdentified;
// Branch 2: High-volume automated access to partner/relationship pages on org-controlled web properties
let PartnerPageKeywords = dynamic([
    "/partners", "/partner-", "/partnerships", "/vendors", "/vendor-",
    "/suppliers", "/supply-chain", "/alliances", "/ecosystem",
    "/integrations", "/channel-partners", "/resellers", "/distributors",
    "/clients", "/customers", "/case-studies", "/about/team"
]);
let WebScraping = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where isnotempty(SourceIP)
| where RequestURL has_any (PartnerPageKeywords)
| where not(ipv4_is_private(SourceIP))
| summarize
    RequestCount = count(),
    UniqueURLs = dcount(RequestURL),
    SampledURLs = make_set(RequestURL, 5),
    UserAgents = make_set(RequestClientApplication, 3),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
  by SourceIP, bin(TimeGenerated, 10m)
| where RequestCount > 30 or UniqueURLs > 10
| extend DetectionBranch = "Partner_Page_Scraping"
| extend Timestamp = TimeGenerated
| project Timestamp, SourceIP, RequestCount, UniqueURLs,
          SampledURLs, UserAgents, DetectionBranch;
// Output OSINT tool detections (highest fidelity)
OSINTToolExecution
| sort by Timestamp desc
medium severity low confidence

Detects business relationship reconnaissance via two branches. Branch 1 identifies OSINT tools known to harvest organizational relationship data (theHarvester, Recon-ng, SpiderFoot, Maltego, CrossLinked, linkedin2username) executing on managed endpoints using DeviceProcessEvents — this is the highest-confidence detection surface. Branch 2 uses CommonSecurityLog (WAF/proxy telemetry) to identify high-volume automated access to partner, vendor, alliance, and client pages on organization-controlled web properties from a single external IP, indicating systematic scraping. Confidence is set low because the adversary's primary reconnaissance activity occurs entirely outside the victim environment; these queries detect only the minority of cases where tools run on managed endpoints or the organization has WAF visibility into scraping attempts.

Data Sources

Process: Process CreationNetwork Traffic: Network Traffic ContentApplication Log: Application Log ContentMicrosoft Defender for EndpointWAF / Proxy Logs via CommonSecurityLog

Required Tables

DeviceProcessEventsCommonSecurityLog

False Positives & Tuning

  • Security researchers or red team operators running authorized OSINT assessments on managed endpoints without pre-authorizing the tool names
  • Legitimate SEO crawlers (Googlebot, Bingbot, SemRush, Ahrefs) generating high-volume access to partner/client pages — these will dominate WAF logs and must be allow-listed by user-agent and known IP range
  • Internal marketing or business development staff using tools like Hunter.io browser extensions or LinkedIn Sales Navigator integrations that trigger OSINT tool heuristics
  • Automated monitoring or uptime-check services that repeatedly fetch partner listing pages as part of website availability monitoring
  • IT asset management or third-party risk management platforms (BitSight, SecurityScorecard, RiskRecon) that legitimately scrape public partner/vendor pages for continuous monitoring
Download portable Sigma rule (.yml)

Other platforms for T1591.002

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1theHarvester Business Relationship Enumeration

    Expected signal: Sysmon Event ID 1 (if Sysmon deployed on Linux): Process Create with CommandLine containing 'theHarvester' and 'example.com'. DNS queries (Sysmon Event ID 22 or auditd) to dnsdumpster.com and crt.sh. Network connection events to OSINT API endpoints. File creation events for output files at /tmp/harvester_output_test.xml and .json.

  2. Test 2Recon-ng Partner Domain Enumeration via Whois Contacts

    Expected signal: Process creation event for recon-ng binary with workspace and command arguments. Network connections to ARIN/RIPE WHOIS servers (port 43) and RDAP APIs. File creation events in ~/.recon-ng/workspaces/test_workspace/ including a SQLite database containing harvested contacts and relationships.

  3. Test 3CrossLinked LinkedIn Organizational Enumeration

    Expected signal: Process creation for python3 with crosslinked in CommandLine. DNS queries to google.com and bing.com for dorked search queries. Network connections to Google/Bing search endpoints. File creation event for /tmp/crosslinked_test.csv containing harvested names formatted as email addresses.

  4. Test 4Simulated Partner Page Scraping via curl Loop

    Expected signal: Network connection events from curl to 127.0.0.1:80 for each URL path. Process creation events for curl with -s and URL arguments. Web server access logs (if running locally) showing all partner-path requests from 127.0.0.1 within a 1.2-second window.

  5. Test 5SpiderFoot OSINT Scan for Organizational Footprint

    Expected signal: Process creation for python3 with spiderfoot in CommandLine and example.com as the target. DNS queries to WHOIS servers, certificate transparency logs (crt.sh, censys.io). File creation events for /tmp/spiderfoot_test.csv and ~/spiderfoot.db (SQLite database). Network connections to passive OSINT data sources. SpiderFoot will enumerate affiliate domains and partner infrastructure associated with example.com.

Last updated: 2026-03-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1591.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1591Gather Victim Org Information

Related Sub-techniques

T1591.001Determine Physical LocationsT1591.003Identify Business TempoT1591.004Identify Roles

Related Techniques

T1591Gather Victim Org InformationT1591.001Determine Physical LocationsT1591.003Identify Business TempoT1591.004Identify RolesT1593.001Social MediaT1594Search Victim-Owned WebsitesT1598Phishing for InformationT1598.003Spearphishing LinkT1195Supply Chain CompromiseT1199Trusted RelationshipT1589.002Email AddressesT1590.001Domain Properties

Same Tactic: Reconnaissance

Popular Detections