T1591.004 IBM QRadar · QRadar

Detect Identify Roles in IBM QRadar

Adversaries may gather information about identities and roles within the victim organization to support targeting. Role-specific intelligence reveals key personnel — IT administrators, executives, HR, and finance staff — along with their access levels and responsibilities, enabling highly effective spear-phishing, social engineering, and targeted intrusion campaigns. Threat actors including Volt Typhoon, LAPSUS$, FIN7, and HEXANE have used role identification to select high-value targets with privileged access before or during compromise. Detection is fundamentally limited for this PRE-technique because reconnaissance primarily occurs externally via LinkedIn, company websites, OSINT tools, and data-broker APIs, generating no telemetry within the victim environment. Detectable edge cases include: OSINT tool execution on managed endpoints (insider threat or compromised machine being weaponized), connections to data-broker and people-search APIs from corporate networks via non-browser processes, scraping of the organization's own personnel-facing web properties, and post-compromise internal role enumeration via Active Directory LDAP queries or Microsoft Graph API calls targeting role attributes.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1591 Gather Victim Org Information
Sub-technique
T1591.004 Identify Roles
Canonical reference
https://attack.mitre.org/techniques/T1591/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "Image" AS ProcessImage, "CommandLine",
  CASE
    WHEN "Image" ILIKE '%nmap%' OR "Image" ILIKE '%masscan%' THEN 80
    WHEN "Image" ILIKE '%shodan%' OR "Image" ILIKE '%theharvester%' THEN 75
    WHEN "Image" ILIKE '%recon-ng%' OR "Image" ILIKE '%maltego%' THEN 70
    WHEN "CommandLine" ILIKE '%whois%' OR "CommandLine" ILIKE '%dnsenum%' THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Image" ILIKE '%nmap%' THEN 'Network Scanner'
    WHEN "Image" ILIKE '%theharvester%' THEN 'OSINT Harvester'
    WHEN "Image" ILIKE '%maltego%' THEN 'Link Analysis Tool'
    ELSE 'Reconnaissance Tool'
  END AS ToolCategory
FROM events
WHERE eventid = 1
  AND (
    "Image" ILIKE '%nmap%' OR "Image" ILIKE '%masscan%' OR "Image" ILIKE '%nikto%'
    OR "Image" ILIKE '%shodan%' OR "Image" ILIKE '%theharvester%' OR "Image" ILIKE '%recon-ng%'
    OR "Image" ILIKE '%maltego%' OR "Image" ILIKE '%spiderfoot%' OR "CommandLine" ILIKE '%dnsenum%'
    OR "CommandLine" ILIKE '%whois %' OR "CommandLine" ILIKE '%-sV %'
  )
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS
medium severity low confidence

QRadar AQL detection for Identify Roles. Detects two primary observable indicators of role-identification reconnaissance: (1) execution of known OSINT tools (theHarvester, CrossLinked, LinkedIn2Username, Recon-ng, SpiderFoot, Maltego, etc.)

Data Sources

Sysmon Event ID 1DNS logsNetwork flow data

Required Tables

events

False Positives & Tuning

  • Security awareness teams conducting authorized employee exposure research
  • Authorized red team OSINT assessments
  • HR or marketing teams performing competitive intelligence research
  • Recruiters using professional networks for talent research
Download portable Sigma rule (.yml)

Other platforms for T1591.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1theHarvester Email and Role Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image containing 'theharvester' or python3 with CommandLine containing 'theharvester -d example.com'. File creation events (Sysmon Event ID 11) for HTML/XML output in /tmp/. Network connections (Sysmon Event ID 3) outbound to bing.com port 443. On Linux: auditd EXECVE records for the theHarvester process with all arguments.

  2. Test 2CrossLinked LinkedIn Role-Specific Employee Scraping

    Expected signal: Sysmon Event ID 1: Process Create for python3/crosslinked with CommandLine containing the target organization string and email format argument. Sysmon Event ID 3: Network connections to linkedin.com port 443. File creation events (Sysmon Event ID 11) for names.txt / names.csv if results are returned. On Linux: auditd EXECVE and CONNECT records for crosslinked process.

  3. Test 3Hunter.io API Non-Browser Role Contact Enumeration

    Expected signal: Sysmon Event ID 3: Network Connection from curl (non-browser) to api.hunter.io port 443. Sysmon Event ID 1: Process Create for curl with CommandLine containing 'api.hunter.io' and 'domain-search'. On Linux: auditd SYSCALL CONNECT and EXECVE records for the curl process.

  4. Test 4Personnel Page Systematic Scraping Simulation

    Expected signal: Sysmon Event ID 1: Multiple Process Create events for curl with sequential CommandLine arguments containing personnel URL paths (/team, /leadership, /executives, etc.). Sysmon Event ID 3: Sequential network connection attempts to 127.0.0.1:8080 (connections will fail if no listener, but the telemetry is still generated). The temporal pattern of requests to multiple personnel-path URLs within seconds is the key detection signal. On Linux: auditd EXECVE records for each curl invocation.

  5. Test 5Active Directory Privileged Role Enumeration via PowerShell (Post-Compromise)

    Expected signal: Security Event ID 4661: Handle to AD group objects requested (Domain Admins, Enterprise Admins, etc.) — requires DS Object Access auditing enabled via Group Policy > Advanced Audit Policy Configuration > DS Access. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ADGroupMember' and the target group names. PowerShell ScriptBlock Log Event ID 4104 with full enumeration script content. Security Event ID 4662: Object operations performed on each AD group object enumerated.

Last updated: 2026-03-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1591.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1591Gather Victim Org Information

Related Sub-techniques

T1591.001Determine Physical LocationsT1591.002Business RelationshipsT1591.003Identify Business Tempo

Related Techniques

T1591Gather Victim Org InformationT1591.001Determine Physical LocationsT1591.002Business RelationshipsT1591.003Identify Business TempoT1593.001Social MediaT1594Search Victim-Owned WebsitesT1598Phishing for InformationT1566PhishingT1585Establish AccountsT1586Compromise AccountsT1069Permission Groups DiscoveryT1087Account Discovery

Same Tactic: Reconnaissance

Popular Detections