Detect Identify Business Tempo in IBM QRadar
Adversaries may gather information about the victim's business tempo that can be used during targeting. Business tempo information includes operational hours, days of the week, purchase and procurement schedules, and hardware/software shipment timings. Adversaries exploit this intelligence to optimize attack timing (e.g., launching intrusions during off-hours when SOC staffing is reduced), target supply chain shipments, or craft convincing spearphishing pretexts referencing internal operational cadences. While the reconnaissance activity itself typically occurs outside the victim environment — via public websites, social media, direct phishing — detectable artifacts emerge when: (1) organization-owned web properties are systematically scraped for operational content, (2) OSINT enumeration tools run on managed endpoints, or (3) phishing lures referencing business tempo arrive in organizational email. Detection confidence is inherently low due to the external and passive nature of this technique.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1591 Gather Victim Org Information
- Sub-technique
- T1591.003 Identify Business Tempo
- Canonical reference
- https://attack.mitre.org/techniques/T1591/003/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
sourceip AS HostIP, username,
"Image" AS ProcessImage, "CommandLine",
CASE
WHEN "Image" ILIKE '%nmap%' OR "Image" ILIKE '%masscan%' THEN 80
WHEN "Image" ILIKE '%shodan%' OR "Image" ILIKE '%theharvester%' THEN 75
WHEN "Image" ILIKE '%recon-ng%' OR "Image" ILIKE '%maltego%' THEN 70
WHEN "CommandLine" ILIKE '%whois%' OR "CommandLine" ILIKE '%dnsenum%' THEN 60
ELSE 40
END AS RiskScore,
CASE
WHEN "Image" ILIKE '%nmap%' THEN 'Network Scanner'
WHEN "Image" ILIKE '%theharvester%' THEN 'OSINT Harvester'
WHEN "Image" ILIKE '%maltego%' THEN 'Link Analysis Tool'
ELSE 'Reconnaissance Tool'
END AS ToolCategory
FROM events
WHERE eventid = 1
AND (
"Image" ILIKE '%nmap%' OR "Image" ILIKE '%masscan%' OR "Image" ILIKE '%nikto%'
OR "Image" ILIKE '%shodan%' OR "Image" ILIKE '%theharvester%' OR "Image" ILIKE '%recon-ng%'
OR "Image" ILIKE '%maltego%' OR "Image" ILIKE '%spiderfoot%' OR "CommandLine" ILIKE '%dnsenum%'
OR "CommandLine" ILIKE '%whois %' OR "CommandLine" ILIKE '%-sV %'
)
AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURSQRadar AQL detection for Identify Business Tempo. Detects systematic web scraping of organization-owned operational pages (business hours, shipping schedules, contact pages, procurement information) via WAF and proxy logs in CommonSecurityLog. Identi
Data Sources
Required Tables
False Positives & Tuning
- Security awareness teams conducting authorized employee exposure research
- Authorized red team OSINT assessments
- HR or marketing teams performing competitive intelligence research
- Recruiters using professional networks for talent research
Other platforms for T1591.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Web Scraping of Organizational Operational Pages with Python Requests
Expected signal: WAF/proxy logs (CommonSecurityLog or stream:http): HTTP GET requests to each enumerated path from the test host IP with User-Agent 'python-requests/2.31.0'. If the organization uses an outbound proxy, requests will appear in proxy logs. If executed against an internal test server, Apache/Nginx access logs will show the scraping pattern.
- Test 2theHarvester OSINT Enumeration for Business Information
Expected signal: Sysmon Event ID 1 (if Sysmon installed): Process Create with Image containing 'theharvester' or 'python3' and CommandLine containing '-d example.com'. DeviceProcessEvents in MDE: FileName=python3, ProcessCommandLine containing 'theharvester'. If outbound proxy is in use, DNS queries to bing.com, linkedin.com, yahoo.com from the host.
- Test 3Slow-and-Low Scraping Simulation with curl
Expected signal: WAF/proxy access logs: 8 sequential HTTP GET requests to operational path patterns over approximately 80 seconds, all from the same source IP. User-Agent 'Mozilla/5.0 (compatible; CustomBot/1.0)' — partially spoofed browser string that still exposes the bot identifier. CommonSecurityLog will show spread-over-time pattern.
- Test 4Phishing Email Pretext Simulating Business Tempo Elicitation
Expected signal: File creation event (Sysmon Event ID 11 / DeviceFileEvents): creation of /tmp/df00tech-tempo-phish-draft.txt. This test does not generate network telemetry. In production, actual phishing emails would appear in email gateway logs (O365 MessageTrace, Proofpoint, Mimecast) with subject lines matching the business tempo keyword patterns in the hunting query.
References (9)
- https://attack.mitre.org/techniques/T1591/003/
- https://attack.mitre.org/techniques/T1591/
- https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
- https://attack.mitre.org/techniques/T1598/
- https://attack.mitre.org/techniques/T1594/
- https://attack.mitre.org/techniques/T1195/
- https://learn.microsoft.com/en-us/azure/sentinel/connect-common-event-format
- https://github.com/laramies/theHarvester
- https://www.greynoise.io/blog/understanding-internet-background-noise
Unlock Pro Content
Get the full detection package for T1591.003 including response playbook, investigation guide, and atomic red team tests.