Detect Identify Roles in Google Chronicle
Adversaries may gather information about identities and roles within the victim organization to support targeting. Role-specific intelligence reveals key personnel — IT administrators, executives, HR, and finance staff — along with their access levels and responsibilities, enabling highly effective spear-phishing, social engineering, and targeted intrusion campaigns. Threat actors including Volt Typhoon, LAPSUS$, FIN7, and HEXANE have used role identification to select high-value targets with privileged access before or during compromise. Detection is fundamentally limited for this PRE-technique because reconnaissance primarily occurs externally via LinkedIn, company websites, OSINT tools, and data-broker APIs, generating no telemetry within the victim environment. Detectable edge cases include: OSINT tool execution on managed endpoints (insider threat or compromised machine being weaponized), connections to data-broker and people-search APIs from corporate networks via non-browser processes, scraping of the organization's own personnel-facing web properties, and post-compromise internal role enumeration via Active Directory LDAP queries or Microsoft Graph API calls targeting role attributes.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1591 Gather Victim Org Information
- Sub-technique
- T1591.004 Identify Roles
- Canonical reference
- https://attack.mitre.org/techniques/T1591/004/
YARA-L Detection Query
rule T1591_004_recon_tool {
meta:
author = "Detection Engineering"
description = "Detects execution of reconnaissance and OSINT tools"
severity = "medium"
confidence = "low"
mitre_attack = "T1591.004"
reference = "https://attack.mitre.org/techniques/T1591/004/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.target.process.file.full_path, `(?i)(nmap|masscan|nikto|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap)`) or
re.regex($e.target.process.command_line, `(?i)(\-sV\s|\-O\s|\-sC\s|dnsenum|whois\s|hunter\.io|shodan)`)
)
condition:
$e
}Google Chronicle YARA-L 2.0 detection for Identify Roles. Detects two primary observable indicators of role-identification reconnaissance: (1) execution of known OSINT tools (theHarvester, CrossLinked, LinkedIn2Username, Recon-ng, SpiderFoot, Maltego, etc.)
Data Sources
Required Tables
False Positives & Tuning
- Authorized OSINT assessments by internal red teams or security consultants
- HR teams using professional networking platforms for talent acquisition
- Marketing teams conducting authorized competitive intelligence research
- Security awareness teams assessing employee digital footprint for training
Other platforms for T1591.004
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1theHarvester Email and Role Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image containing 'theharvester' or python3 with CommandLine containing 'theharvester -d example.com'. File creation events (Sysmon Event ID 11) for HTML/XML output in /tmp/. Network connections (Sysmon Event ID 3) outbound to bing.com port 443. On Linux: auditd EXECVE records for the theHarvester process with all arguments.
- Test 2CrossLinked LinkedIn Role-Specific Employee Scraping
Expected signal: Sysmon Event ID 1: Process Create for python3/crosslinked with CommandLine containing the target organization string and email format argument. Sysmon Event ID 3: Network connections to linkedin.com port 443. File creation events (Sysmon Event ID 11) for names.txt / names.csv if results are returned. On Linux: auditd EXECVE and CONNECT records for crosslinked process.
- Test 3Hunter.io API Non-Browser Role Contact Enumeration
Expected signal: Sysmon Event ID 3: Network Connection from curl (non-browser) to api.hunter.io port 443. Sysmon Event ID 1: Process Create for curl with CommandLine containing 'api.hunter.io' and 'domain-search'. On Linux: auditd SYSCALL CONNECT and EXECVE records for the curl process.
- Test 4Personnel Page Systematic Scraping Simulation
Expected signal: Sysmon Event ID 1: Multiple Process Create events for curl with sequential CommandLine arguments containing personnel URL paths (/team, /leadership, /executives, etc.). Sysmon Event ID 3: Sequential network connection attempts to 127.0.0.1:8080 (connections will fail if no listener, but the telemetry is still generated). The temporal pattern of requests to multiple personnel-path URLs within seconds is the key detection signal. On Linux: auditd EXECVE records for each curl invocation.
- Test 5Active Directory Privileged Role Enumeration via PowerShell (Post-Compromise)
Expected signal: Security Event ID 4661: Handle to AD group objects requested (Domain Admins, Enterprise Admins, etc.) — requires DS Object Access auditing enabled via Group Policy > Advanced Audit Policy Configuration > DS Access. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ADGroupMember' and the target group names. PowerShell ScriptBlock Log Event ID 4104 with full enumeration script content. Security Event ID 4662: Object operations performed on each AD group object enumerated.
References (12)
- https://attack.mitre.org/techniques/T1591/004/
- https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign
- https://www.clearskysec.com/siamesekitten/
- https://github.com/laramies/theHarvester
- https://github.com/m8sec/CrossLinked
- https://hunter.io/api-documentation/v2
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities
- https://learn.microsoft.com/en-us/graph/api/user-list
- https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/fin7
Unlock Pro Content
Get the full detection package for T1591.004 including response playbook, investigation guide, and atomic red team tests.