T1591.004 Identify Roles Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let OsintToolNames = dynamic(["theharvester", "crosslinked", "linkedint", "phoneinfoga", "reconng", "recon-ng", "spiderfoot", "maltego", "littlebrother", "osrframework", "linkedin2username"]);
let DataBrokerDomains = dynamic(["hunter.io", "rocketreach.co", "clearbit.com", "apollo.io", "zoominfo.com", "lusha.com", "seamless.ai", "swordfish.ai", "contactout.com", "signalhire.com", "pipl.com", "kendo.io", "snov.io", "voilanorbert.com"]);
let PersonnelPagePaths = dynamic(["/team", "/leadership", "/executives", "/staff", "/our-team", "/people", "/management", "/board", "/directory", "/org-chart", "/orgchart", "/about-us/team", "/about/team"]);
// Branch 1: OSINT tool execution on managed endpoints (insider threat or compromised endpoint)
let OsintToolExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where tolower(FileName) has_any (OsintToolNames)
    or (
        FileName in~ ("python.exe", "python3", "python", "bash", "sh", "cmd.exe", "powershell.exe")
        and tolower(ProcessCommandLine) has_any (OsintToolNames)
    )
| extend DetectionBranch = "OSINT_Tool_Execution"
| extend RiskIndicator = strcat("OSINT tool detected on managed endpoint: ", FileName)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionBranch, RiskIndicator;
// Branch 2: Non-browser process connections to data-broker / people-search APIs
let DataBrokerConnections = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (DataBrokerDomains)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe",
                                          "opera.exe", "iexplore.exe", "safari", "chromium")
| extend DetectionBranch = "DataBroker_API_Connection"
| extend RiskIndicator = strcat("Non-browser process accessing data-broker API: ",
                                InitiatingProcessFileName, " -> ", RemoteUrl)
| project Timestamp, DeviceName,
          AccountName = InitiatingProcessAccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionBranch, RiskIndicator;
union OsintToolExec, DataBrokerConnections
| sort by Timestamp desc

medium severity low confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Security team members or penetration testers running OSINT tools as part of authorized red team engagements or attack surface assessments
Recruiting and HR personnel using data-broker tools (ZoomInfo, Apollo, Clearbit, Hunter.io) for candidate sourcing via local scripts or integrations rather than browser
Sales and marketing teams with CRM enrichment integrations (Salesforce, HubSpot) that use contact-data APIs via background processes rather than browser-based access
Threat intelligence analysts using OSINT frameworks (Recon-ng, SpiderFoot, Maltego) for adversary infrastructure research as part of their daily workflow
IT administrators using LinkedIn2Username or similar tools for authorized user enumeration during security posture assessments

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ProcessNameLower=lower(Image)
| eval CommandLineLower=lower(CommandLine)
| eval OsintToolExec=if(
    match(ProcessNameLower, "(theharvester|crosslinked|linkedint|phoneinfoga|spiderfoot|maltego|linkedin2username|osrframework)")
    OR (match(ProcessNameLower, "(python|bash|sh|cmd|powershell)")
        AND match(CommandLineLower, "(theharvester|crosslinked|linkedint|recon-ng|spiderfoot|phoneinfoga|littlebrother|osrframework|linkedin2username)")),
    1, 0)
| eval DataBrokerRef=if(
    match(CommandLineLower, "(hunter\.io|rocketreach\.co|clearbit\.com|apollo\.io|zoominfo\.com|lusha\.com|seamless\.ai|contactout\.com|pipl\.com|kendo\.io|snov\.io|voilanorbert\.com)"),
    1, 0)
| eval PersonnelScrapeCmd=if(
    match(CommandLineLower, "(/team|/leadership|/executives|/staff|/our-team|/people|/management|/board|/directory|/org-chart)"),
    1, 0)
| eval SuspicionScore=OsintToolExec + DataBrokerRef + PersonnelScrapeCmd
| where SuspicionScore > 0
| eval DetectionBranch=case(
    OsintToolExec=1, "OSINT_Tool_Execution",
    DataBrokerRef=1, "DataBroker_Command_Argument",
    PersonnelScrapeCmd=1, "Personnel_Scraping_Command",
    true(), "Unknown")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        OsintToolExec, DataBrokerRef, PersonnelScrapeCmd, SuspicionScore, DetectionBranch
| sort - _time

medium severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Security team members or penetration testers running OSINT tools as part of authorized red team engagements or vulnerability assessments
Recruiting and HR personnel using data-broker tools via command-line scripts or integrations for candidate sourcing workflows
Threat intelligence analysts running OSINT frameworks (Recon-ng, SpiderFoot) for adversary research as part of their daily threat intel function
IT automation scripts referencing data-enrichment API endpoints for CRM lead population or sales intelligence workflows
Web scrapers or crawlers operated by marketing teams that reference personnel page paths in their configurations

Elastic Security (EQL)

eql

process where event.type == "start"
  and (process.name : ("theHarvester*", "maltego*", "recon-ng*", "spiderfoot*", "osrframework*")
   or process.command_line : ("*linkedin*", "*whois*", "*shodan*", "*hunter.io*"))

medium severity low confidence

Data Sources

Elastic Endpoint Security Process events

Required Tables

logs-endpoint.events.process.*

False Positives

Security awareness teams researching employee exposure for training purposes
Authorized OSINT assessments by internal red teams or security consultants
HR or marketing teams performing routine competitive intelligence research
Recruiters using LinkedIn and similar platforms for talent research

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "Image" AS ProcessImage, "CommandLine",
  CASE
    WHEN "Image" ILIKE '%nmap%' OR "Image" ILIKE '%masscan%' THEN 80
    WHEN "Image" ILIKE '%shodan%' OR "Image" ILIKE '%theharvester%' THEN 75
    WHEN "Image" ILIKE '%recon-ng%' OR "Image" ILIKE '%maltego%' THEN 70
    WHEN "CommandLine" ILIKE '%whois%' OR "CommandLine" ILIKE '%dnsenum%' THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Image" ILIKE '%nmap%' THEN 'Network Scanner'
    WHEN "Image" ILIKE '%theharvester%' THEN 'OSINT Harvester'
    WHEN "Image" ILIKE '%maltego%' THEN 'Link Analysis Tool'
    ELSE 'Reconnaissance Tool'
  END AS ToolCategory
FROM events
WHERE eventid = 1
  AND (
    "Image" ILIKE '%nmap%' OR "Image" ILIKE '%masscan%' OR "Image" ILIKE '%nikto%'
    OR "Image" ILIKE '%shodan%' OR "Image" ILIKE '%theharvester%' OR "Image" ILIKE '%recon-ng%'
    OR "Image" ILIKE '%maltego%' OR "Image" ILIKE '%spiderfoot%' OR "CommandLine" ILIKE '%dnsenum%'
    OR "CommandLine" ILIKE '%whois %' OR "CommandLine" ILIKE '%-sV %'
  )
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

medium severity low confidence

Data Sources

Sysmon Event ID 1 DNS logs Network flow data

Required Tables

events

False Positives

Security awareness teams conducting authorized employee exposure research
Authorized red team OSINT assessments
HR or marketing teams performing competitive intelligence research
Recruiters using professional networks for talent research

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| json auto
| where EventCode = 1
| eval ImageLower = lower(Image)
| eval CmdLower = lower(CommandLine)
| where matches(ImageLower, "nmap|masscan|nikto|shodan|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap")
   or matches(CmdLower, "\-sV |\-O |\-sC |\-p\s+\d|dnsenum|whois |hunter\.io")
| eval ToolCategory = if(matches(ImageLower, "nmap|masscan|zmap"), "Port Scanner",
    if(matches(ImageLower, "theharvester|spiderfoot"), "OSINT Tool",
    if(matches(ImageLower, "nikto"), "Web Scanner", "Recon Tool")))
| eval RiskScore = if(ToolCategory = "Port Scanner", 75,
    if(ToolCategory = "OSINT Tool", 70, 60))
| stats count, values(CommandLine) AS Commands by _sourceHost, User, ToolCategory, RiskScore
| sort by RiskScore desc

medium severity low confidence

Data Sources

Sysmon Event ID 1 DNS logs

Required Tables

_sourceCategory=*sysmon*

False Positives

Authorized OSINT assessments by internal red teams
HR and talent acquisition teams using professional networking tools
Marketing teams conducting authorized competitive intelligence research
Security awareness programs researching employee exposure footprint

Google Chronicle / SecOps

yaral

rule T1591_004_recon_tool {
  meta:
    author = "Detection Engineering"
    description = "Detects execution of reconnaissance and OSINT tools"
    severity = "medium"
    confidence = "low"
    mitre_attack = "T1591.004"
    reference = "https://attack.mitre.org/techniques/T1591/004/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(nmap|masscan|nikto|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap)`) or
      re.regex($e.target.process.command_line, `(?i)(\-sV\s|\-O\s|\-sC\s|dnsenum|whois\s|hunter\.io|shodan)`)
    )

  condition:
    $e
}

medium severity low confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry DNS logs

Required Tables

PROCESS_LAUNCH DNS

False Positives

Authorized OSINT assessments by internal red teams or security consultants
HR teams using professional networking platforms for talent acquisition
Marketing teams conducting authorized competitive intelligence research
Security awareness teams assessing employee digital footprint for training

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| ImageFileName = /(?i)(nmap|masscan|nikto|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap)/
  OR CommandLine = /(?i)(\-sV\s|\-sC\s|dnsenum|whois\s|hunter\.io|shodan|\-O\s)/
| groupBy([aid, ComputerName, UserName, ImageFileName, CommandLine], function=[count(as=EventCount), min(timestamp, as=FirstSeen)])
| case {
    ImageFileName = /(?i)(nmap|masscan|zmap)/ => ToolCategory := "Port Scanner"; RiskScore := "High";
    ImageFileName = /(?i)(theharvester|spiderfoot)/ => ToolCategory := "OSINT Harvester"; RiskScore := "Medium";
    ImageFileName = /(?i)(nikto)/ => ToolCategory := "Web Scanner"; RiskScore := "High";
    * => ToolCategory := "Recon Tool"; RiskScore := "Medium";
  }
| table([ComputerName, UserName, ImageFileName, ToolCategory, CommandLine, EventCount, RiskScore, FirstSeen])
| sort(RiskScore)

medium severity low confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Process events

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Internal red teams conducting authorized OSINT and social engineering assessments
HR and talent teams using professional platforms for legitimate recruiting activity
Marketing teams gathering authorized competitive intelligence data
Security programs assessing digital footprint exposure for awareness training

Identify Roles

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections