Detect Business Relationships in Sumo Logic CSE
Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization's business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim's hardware and software resources. Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Supply Chain Compromise, Drive-by Compromise, or Trusted Relationship). Real-world actors including Dragonfly, LAPSUS$, and Sandworm Team have used this technique to map organizational supply chains and partner relationships as precursors to targeted attacks.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1591 Gather Victim Org Information
- Sub-technique
- T1591.002 Business Relationships
- Canonical reference
- https://attack.mitre.org/techniques/T1591/002/
Sumo Detection Query
_sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| json auto
| where EventCode = 1
| eval ImageLower = lower(Image)
| eval CmdLower = lower(CommandLine)
| where matches(ImageLower, "nmap|masscan|nikto|shodan|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap")
or matches(CmdLower, "\-sV |\-O |\-sC |\-p\s+\d|dnsenum|whois |hunter\.io")
| eval ToolCategory = if(matches(ImageLower, "nmap|masscan|zmap"), "Port Scanner",
if(matches(ImageLower, "theharvester|spiderfoot"), "OSINT Tool",
if(matches(ImageLower, "nikto"), "Web Scanner", "Recon Tool")))
| eval RiskScore = if(ToolCategory = "Port Scanner", 75,
if(ToolCategory = "OSINT Tool", 70, 60))
| stats count, values(CommandLine) AS Commands by _sourceHost, User, ToolCategory, RiskScore
| sort by RiskScore descSumo Logic detection for Business Relationships. Detects business relationship reconnaissance via two branches. Branch 1 identifies OSINT tools known to harvest organizational relationship data (theHarvester, Recon-ng, SpiderFoot, Maltego, CrossLink
Data Sources
Required Tables
False Positives & Tuning
- Authorized OSINT assessments by internal red teams
- HR and talent acquisition teams using professional networking tools
- Marketing teams conducting authorized competitive intelligence research
- Security awareness programs researching employee exposure footprint
Other platforms for T1591.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1theHarvester Business Relationship Enumeration
Expected signal: Sysmon Event ID 1 (if Sysmon deployed on Linux): Process Create with CommandLine containing 'theHarvester' and 'example.com'. DNS queries (Sysmon Event ID 22 or auditd) to dnsdumpster.com and crt.sh. Network connection events to OSINT API endpoints. File creation events for output files at /tmp/harvester_output_test.xml and .json.
- Test 2Recon-ng Partner Domain Enumeration via Whois Contacts
Expected signal: Process creation event for recon-ng binary with workspace and command arguments. Network connections to ARIN/RIPE WHOIS servers (port 43) and RDAP APIs. File creation events in ~/.recon-ng/workspaces/test_workspace/ including a SQLite database containing harvested contacts and relationships.
- Test 3CrossLinked LinkedIn Organizational Enumeration
Expected signal: Process creation for python3 with crosslinked in CommandLine. DNS queries to google.com and bing.com for dorked search queries. Network connections to Google/Bing search endpoints. File creation event for /tmp/crosslinked_test.csv containing harvested names formatted as email addresses.
- Test 4Simulated Partner Page Scraping via curl Loop
Expected signal: Network connection events from curl to 127.0.0.1:80 for each URL path. Process creation events for curl with -s and URL arguments. Web server access logs (if running locally) showing all partner-path requests from 127.0.0.1 within a 1.2-second window.
- Test 5SpiderFoot OSINT Scan for Organizational Footprint
Expected signal: Process creation for python3 with spiderfoot in CommandLine and example.com as the target. DNS queries to WHOIS servers, certificate transparency logs (crt.sh, censys.io). File creation events for /tmp/spiderfoot_test.csv and ~/spiderfoot.db (SQLite database). Network connections to passive OSINT data sources. SpiderFoot will enumerate affiliate domains and partner infrastructure associated with example.com.
References (10)
- https://attack.mitre.org/techniques/T1591/002/
- https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
- https://go.recordedfuture.com/hubfs/reports/cta-2021-1020.pdf
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and
- https://github.com/laramies/theHarvester
- https://github.com/lanmaster53/recon-ng
- https://github.com/m8sec/CrossLinked
- https://www.spiderfoot.net/documentation/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1591.002/T1591.002.md
Unlock Pro Content
Get the full detection package for T1591.002 including response playbook, investigation guide, and atomic red team tests.