T1591.002 Splunk · SPL

Detect Business Relationships in Splunk

Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization's business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim's hardware and software resources. Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Supply Chain Compromise, Drive-by Compromise, or Trusted Relationship). Real-world actors including Dragonfly, LAPSUS$, and Sandworm Team have used this technique to map organizational supply chains and partner relationships as precursors to targeted attacks.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1591 Gather Victim Org Information
Sub-technique
T1591.002 Business Relationships
Canonical reference
https://attack.mitre.org/techniques/T1591/002/

SPL Detection Query

Splunk (SPL)
spl 
| multisearch
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (CommandLine="*theharvester*" OR CommandLine="*recon-ng*" OR CommandLine="*spiderfoot*"
     OR CommandLine="*maltego*" OR CommandLine="*crosslinked*" OR CommandLine="*linkedin2username*"
     OR CommandLine="*inspy*" OR CommandLine="*dmitry*" OR CommandLine="*datasploit*"
     OR CommandLine="*metagoofil*" OR CommandLine="*osrframework*")
    | eval DetectionBranch="OSINT_Tool_Execution"
    | eval ToolIdentified=case(
        match(lower(CommandLine), "theharvester"), "theHarvester",
        match(lower(CommandLine), "recon-ng"), "Recon-ng",
        match(lower(CommandLine), "spiderfoot"), "SpiderFoot",
        match(lower(CommandLine), "maltego"), "Maltego",
        match(lower(CommandLine), "crosslinked"), "CrossLinked",
        match(lower(CommandLine), "linkedin2username"), "linkedin2username",
        match(lower(CommandLine), "inspy"), "InSpy",
        1==1, Image
      )
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranch, ToolIdentified
  ]
  [
    search index=web sourcetype="stream:http"
    (uri_path="*/partners*" OR uri_path="*/vendor*" OR uri_path="*/suppliers*"
     OR uri_path="*/alliances*" OR uri_path="*/ecosystem*" OR uri_path="*/integrations*"
     OR uri_path="*/channel-partners*" OR uri_path="*/resellers*" OR uri_path="*/distributors*"
     OR uri_path="*/case-studies*")
    NOT (src_ip="10.*" OR src_ip="172.16.*" OR src_ip="192.168.*")
    | bucket _time span=10m
    | stats count as RequestCount, dc(uri_path) as UniqueURLs,
            values(uri_path) as SampledURLs, values(http_user_agent) as UserAgents
      by src_ip, _time
    | where RequestCount > 30 OR UniqueURLs > 10
    | eval DetectionBranch="Partner_Page_Scraping"
    | eval ToolIdentified="Web Scraper"
    | table _time, src_ip, RequestCount, UniqueURLs, SampledURLs, UserAgents, DetectionBranch, ToolIdentified
  ]
| eval risk_score=case(
    DetectionBranch="OSINT_Tool_Execution", 70,
    DetectionBranch="Partner_Page_Scraping" AND RequestCount > 100, 60,
    DetectionBranch="Partner_Page_Scraping", 40,
    1==1, 30
  )
| sort - risk_score, - _time
medium severity low confidence

Detects business relationship reconnaissance using a multisearch across two data sources. The first branch targets Sysmon Event ID 1 (Process Creation) to identify OSINT tools commonly used to harvest partner, vendor, and supply-chain data from LinkedIn, corporate websites, and public databases. The second branch queries HTTP stream data for high-volume automated access to partner and relationship pages from external IPs, with bucketed time windows to identify scraping bursts. A risk score is assigned based on detection branch and severity indicators. Requires stream:http (Splunk Stream) for web traffic visibility; substitute with your proxy sourcetype (e.g., proxy or pan:traffic) as appropriate.

Data Sources

Process: Process CreationNetwork Traffic: Network Traffic ContentSysmon Event ID 1HTTP Stream / Web Proxy Logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operationalstream:http

False Positives & Tuning

  • Authorized red team or penetration testing engagements using OSINT tools on managed endpoints — verify against active engagement records and SOW scope
  • Web search engine crawlers (Googlebot, Bingbot) and legitimate commercial scanners (Shodan, Censys) accessing public partner pages at high volume — filter by known crawler IP ranges and user-agent strings
  • Third-party risk management platforms and security rating services making regular sweeps of your public web presence for vendor risk scoring
  • Sales intelligence tools and CRM integrations (LinkedIn Sales Navigator, ZoomInfo, Clearbit) that employees use daily generating OSINT-adjacent process names
  • Bug bounty reconnaissance by authorized researchers who have disclosed they are using automated tools within defined scope
Download portable Sigma rule (.yml)

Other platforms for T1591.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1theHarvester Business Relationship Enumeration

    Expected signal: Sysmon Event ID 1 (if Sysmon deployed on Linux): Process Create with CommandLine containing 'theHarvester' and 'example.com'. DNS queries (Sysmon Event ID 22 or auditd) to dnsdumpster.com and crt.sh. Network connection events to OSINT API endpoints. File creation events for output files at /tmp/harvester_output_test.xml and .json.

  2. Test 2Recon-ng Partner Domain Enumeration via Whois Contacts

    Expected signal: Process creation event for recon-ng binary with workspace and command arguments. Network connections to ARIN/RIPE WHOIS servers (port 43) and RDAP APIs. File creation events in ~/.recon-ng/workspaces/test_workspace/ including a SQLite database containing harvested contacts and relationships.

  3. Test 3CrossLinked LinkedIn Organizational Enumeration

    Expected signal: Process creation for python3 with crosslinked in CommandLine. DNS queries to google.com and bing.com for dorked search queries. Network connections to Google/Bing search endpoints. File creation event for /tmp/crosslinked_test.csv containing harvested names formatted as email addresses.

  4. Test 4Simulated Partner Page Scraping via curl Loop

    Expected signal: Network connection events from curl to 127.0.0.1:80 for each URL path. Process creation events for curl with -s and URL arguments. Web server access logs (if running locally) showing all partner-path requests from 127.0.0.1 within a 1.2-second window.

  5. Test 5SpiderFoot OSINT Scan for Organizational Footprint

    Expected signal: Process creation for python3 with spiderfoot in CommandLine and example.com as the target. DNS queries to WHOIS servers, certificate transparency logs (crt.sh, censys.io). File creation events for /tmp/spiderfoot_test.csv and ~/spiderfoot.db (SQLite database). Network connections to passive OSINT data sources. SpiderFoot will enumerate affiliate domains and partner infrastructure associated with example.com.

Last updated: 2026-03-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1591.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1591Gather Victim Org Information

Related Sub-techniques

T1591.001Determine Physical LocationsT1591.003Identify Business TempoT1591.004Identify Roles

Related Techniques

T1591Gather Victim Org InformationT1591.001Determine Physical LocationsT1591.003Identify Business TempoT1591.004Identify RolesT1593.001Social MediaT1594Search Victim-Owned WebsitesT1598Phishing for InformationT1598.003Spearphishing LinkT1195Supply Chain CompromiseT1199Trusted RelationshipT1589.002Email AddressesT1590.001Domain Properties

Same Tactic: Reconnaissance

Popular Detections