T1591.004 Microsoft Sentinel · KQL

Detect Identify Roles in Microsoft Sentinel

Adversaries may gather information about identities and roles within the victim organization to support targeting. Role-specific intelligence reveals key personnel — IT administrators, executives, HR, and finance staff — along with their access levels and responsibilities, enabling highly effective spear-phishing, social engineering, and targeted intrusion campaigns. Threat actors including Volt Typhoon, LAPSUS$, FIN7, and HEXANE have used role identification to select high-value targets with privileged access before or during compromise. Detection is fundamentally limited for this PRE-technique because reconnaissance primarily occurs externally via LinkedIn, company websites, OSINT tools, and data-broker APIs, generating no telemetry within the victim environment. Detectable edge cases include: OSINT tool execution on managed endpoints (insider threat or compromised machine being weaponized), connections to data-broker and people-search APIs from corporate networks via non-browser processes, scraping of the organization's own personnel-facing web properties, and post-compromise internal role enumeration via Active Directory LDAP queries or Microsoft Graph API calls targeting role attributes.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1591 Gather Victim Org Information
Sub-technique
T1591.004 Identify Roles
Canonical reference
https://attack.mitre.org/techniques/T1591/004/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let OsintToolNames = dynamic(["theharvester", "crosslinked", "linkedint", "phoneinfoga", "reconng", "recon-ng", "spiderfoot", "maltego", "littlebrother", "osrframework", "linkedin2username"]);
let DataBrokerDomains = dynamic(["hunter.io", "rocketreach.co", "clearbit.com", "apollo.io", "zoominfo.com", "lusha.com", "seamless.ai", "swordfish.ai", "contactout.com", "signalhire.com", "pipl.com", "kendo.io", "snov.io", "voilanorbert.com"]);
let PersonnelPagePaths = dynamic(["/team", "/leadership", "/executives", "/staff", "/our-team", "/people", "/management", "/board", "/directory", "/org-chart", "/orgchart", "/about-us/team", "/about/team"]);
// Branch 1: OSINT tool execution on managed endpoints (insider threat or compromised endpoint)
let OsintToolExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where tolower(FileName) has_any (OsintToolNames)
    or (
        FileName in~ ("python.exe", "python3", "python", "bash", "sh", "cmd.exe", "powershell.exe")
        and tolower(ProcessCommandLine) has_any (OsintToolNames)
    )
| extend DetectionBranch = "OSINT_Tool_Execution"
| extend RiskIndicator = strcat("OSINT tool detected on managed endpoint: ", FileName)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionBranch, RiskIndicator;
// Branch 2: Non-browser process connections to data-broker / people-search APIs
let DataBrokerConnections = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (DataBrokerDomains)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe",
                                          "opera.exe", "iexplore.exe", "safari", "chromium")
| extend DetectionBranch = "DataBroker_API_Connection"
| extend RiskIndicator = strcat("Non-browser process accessing data-broker API: ",
                                InitiatingProcessFileName, " -> ", RemoteUrl)
| project Timestamp, DeviceName,
          AccountName = InitiatingProcessAccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionBranch, RiskIndicator;
union OsintToolExec, DataBrokerConnections
| sort by Timestamp desc
medium severity low confidence

Detects two primary observable indicators of role-identification reconnaissance: (1) execution of known OSINT tools (theHarvester, CrossLinked, LinkedIn2Username, Recon-ng, SpiderFoot, Maltego, etc.) on managed endpoints, which indicates insider threat or a compromised machine being used for pre-attack personnel research; and (2) non-browser process connections to data-broker and people-search APIs (Hunter.io, RocketReach, Clearbit, Apollo, ZoomInfo, Lusha) that expose organizational role and contact data. Browser-based connections are excluded from Branch 2 to reduce noise from legitimate sales and HR workflows. Confidence is set to low because this PRE-technique primarily occurs outside the victim environment with no endpoint telemetry generated for the vast majority of adversary reconnaissance activity.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceNetworkEvents

False Positives & Tuning

  • Security team members or penetration testers running OSINT tools as part of authorized red team engagements or attack surface assessments
  • Recruiting and HR personnel using data-broker tools (ZoomInfo, Apollo, Clearbit, Hunter.io) for candidate sourcing via local scripts or integrations rather than browser
  • Sales and marketing teams with CRM enrichment integrations (Salesforce, HubSpot) that use contact-data APIs via background processes rather than browser-based access
  • Threat intelligence analysts using OSINT frameworks (Recon-ng, SpiderFoot, Maltego) for adversary infrastructure research as part of their daily workflow
  • IT administrators using LinkedIn2Username or similar tools for authorized user enumeration during security posture assessments
Download portable Sigma rule (.yml)

Other platforms for T1591.004

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1theHarvester Email and Role Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image containing 'theharvester' or python3 with CommandLine containing 'theharvester -d example.com'. File creation events (Sysmon Event ID 11) for HTML/XML output in /tmp/. Network connections (Sysmon Event ID 3) outbound to bing.com port 443. On Linux: auditd EXECVE records for the theHarvester process with all arguments.

  2. Test 2CrossLinked LinkedIn Role-Specific Employee Scraping

    Expected signal: Sysmon Event ID 1: Process Create for python3/crosslinked with CommandLine containing the target organization string and email format argument. Sysmon Event ID 3: Network connections to linkedin.com port 443. File creation events (Sysmon Event ID 11) for names.txt / names.csv if results are returned. On Linux: auditd EXECVE and CONNECT records for crosslinked process.

  3. Test 3Hunter.io API Non-Browser Role Contact Enumeration

    Expected signal: Sysmon Event ID 3: Network Connection from curl (non-browser) to api.hunter.io port 443. Sysmon Event ID 1: Process Create for curl with CommandLine containing 'api.hunter.io' and 'domain-search'. On Linux: auditd SYSCALL CONNECT and EXECVE records for the curl process.

  4. Test 4Personnel Page Systematic Scraping Simulation

    Expected signal: Sysmon Event ID 1: Multiple Process Create events for curl with sequential CommandLine arguments containing personnel URL paths (/team, /leadership, /executives, etc.). Sysmon Event ID 3: Sequential network connection attempts to 127.0.0.1:8080 (connections will fail if no listener, but the telemetry is still generated). The temporal pattern of requests to multiple personnel-path URLs within seconds is the key detection signal. On Linux: auditd EXECVE records for each curl invocation.

  5. Test 5Active Directory Privileged Role Enumeration via PowerShell (Post-Compromise)

    Expected signal: Security Event ID 4661: Handle to AD group objects requested (Domain Admins, Enterprise Admins, etc.) — requires DS Object Access auditing enabled via Group Policy > Advanced Audit Policy Configuration > DS Access. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ADGroupMember' and the target group names. PowerShell ScriptBlock Log Event ID 4104 with full enumeration script content. Security Event ID 4662: Object operations performed on each AD group object enumerated.

Last updated: 2026-03-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1591.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1591Gather Victim Org Information

Related Sub-techniques

T1591.001Determine Physical LocationsT1591.002Business RelationshipsT1591.003Identify Business Tempo

Related Techniques

T1591Gather Victim Org InformationT1591.001Determine Physical LocationsT1591.002Business RelationshipsT1591.003Identify Business TempoT1593.001Social MediaT1594Search Victim-Owned WebsitesT1598Phishing for InformationT1566PhishingT1585Establish AccountsT1586Compromise AccountsT1069Permission Groups DiscoveryT1087Account Discovery

Same Tactic: Reconnaissance

Popular Detections