T1591.003 Elastic Security · Elastic

Detect Identify Business Tempo in Elastic Security

Adversaries may gather information about the victim's business tempo that can be used during targeting. Business tempo information includes operational hours, days of the week, purchase and procurement schedules, and hardware/software shipment timings. Adversaries exploit this intelligence to optimize attack timing (e.g., launching intrusions during off-hours when SOC staffing is reduced), target supply chain shipments, or craft convincing spearphishing pretexts referencing internal operational cadences. While the reconnaissance activity itself typically occurs outside the victim environment — via public websites, social media, direct phishing — detectable artifacts emerge when: (1) organization-owned web properties are systematically scraped for operational content, (2) OSINT enumeration tools run on managed endpoints, or (3) phishing lures referencing business tempo arrive in organizational email. Detection confidence is inherently low due to the external and passive nature of this technique.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1591 Gather Victim Org Information
Sub-technique
T1591.003 Identify Business Tempo
Canonical reference
https://attack.mitre.org/techniques/T1591/003/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start"
  and (process.name : ("theHarvester*", "maltego*", "recon-ng*", "spiderfoot*", "osrframework*")
   or process.command_line : ("*linkedin*", "*whois*", "*shodan*", "*hunter.io*"))
low severity low confidence

Elastic EQL detection for Identify Business Tempo. Detects systematic web scraping of organization-owned operational pages (business hours, shipping schedules, contact pages, procurement information) via WAF and proxy logs in CommonSecurityLog. Identi

Data Sources

Elastic Endpoint SecurityProcess events

Required Tables

logs-endpoint.events.process.*

False Positives & Tuning

  • Security awareness teams researching employee exposure for training purposes
  • Authorized OSINT assessments by internal red teams or security consultants
  • HR or marketing teams performing routine competitive intelligence research
  • Recruiters using LinkedIn and similar platforms for talent research
Download portable Sigma rule (.yml)

Other platforms for T1591.003

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Web Scraping of Organizational Operational Pages with Python Requests

    Expected signal: WAF/proxy logs (CommonSecurityLog or stream:http): HTTP GET requests to each enumerated path from the test host IP with User-Agent 'python-requests/2.31.0'. If the organization uses an outbound proxy, requests will appear in proxy logs. If executed against an internal test server, Apache/Nginx access logs will show the scraping pattern.

  2. Test 2theHarvester OSINT Enumeration for Business Information

    Expected signal: Sysmon Event ID 1 (if Sysmon installed): Process Create with Image containing 'theharvester' or 'python3' and CommandLine containing '-d example.com'. DeviceProcessEvents in MDE: FileName=python3, ProcessCommandLine containing 'theharvester'. If outbound proxy is in use, DNS queries to bing.com, linkedin.com, yahoo.com from the host.

  3. Test 3Slow-and-Low Scraping Simulation with curl

    Expected signal: WAF/proxy access logs: 8 sequential HTTP GET requests to operational path patterns over approximately 80 seconds, all from the same source IP. User-Agent 'Mozilla/5.0 (compatible; CustomBot/1.0)' — partially spoofed browser string that still exposes the bot identifier. CommonSecurityLog will show spread-over-time pattern.

  4. Test 4Phishing Email Pretext Simulating Business Tempo Elicitation

    Expected signal: File creation event (Sysmon Event ID 11 / DeviceFileEvents): creation of /tmp/df00tech-tempo-phish-draft.txt. This test does not generate network telemetry. In production, actual phishing emails would appear in email gateway logs (O365 MessageTrace, Proofpoint, Mimecast) with subject lines matching the business tempo keyword patterns in the hunting query.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1591.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1591Gather Victim Org Information

Related Sub-techniques

T1591.001Determine Physical LocationsT1591.002Business RelationshipsT1591.004Identify Roles

Related Techniques

T1591Gather Victim Org InformationT1591.001Determine Physical LocationsT1591.002Business RelationshipsT1591.004Identify RolesT1594Search Victim-Owned WebsitesT1593.001Social MediaT1598Phishing for InformationT1598.003Spearphishing LinkT1195Supply Chain CompromiseT1199Trusted Relationship

Same Tactic: Reconnaissance

Popular Detections