Detect Identify Roles in Splunk
Adversaries may gather information about identities and roles within the victim organization to support targeting. Role-specific intelligence reveals key personnel — IT administrators, executives, HR, and finance staff — along with their access levels and responsibilities, enabling highly effective spear-phishing, social engineering, and targeted intrusion campaigns. Threat actors including Volt Typhoon, LAPSUS$, FIN7, and HEXANE have used role identification to select high-value targets with privileged access before or during compromise. Detection is fundamentally limited for this PRE-technique because reconnaissance primarily occurs externally via LinkedIn, company websites, OSINT tools, and data-broker APIs, generating no telemetry within the victim environment. Detectable edge cases include: OSINT tool execution on managed endpoints (insider threat or compromised machine being weaponized), connections to data-broker and people-search APIs from corporate networks via non-browser processes, scraping of the organization's own personnel-facing web properties, and post-compromise internal role enumeration via Active Directory LDAP queries or Microsoft Graph API calls targeting role attributes.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1591 Gather Victim Org Information
- Sub-technique
- T1591.004 Identify Roles
- Canonical reference
- https://attack.mitre.org/techniques/T1591/004/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ProcessNameLower=lower(Image)
| eval CommandLineLower=lower(CommandLine)
| eval OsintToolExec=if(
match(ProcessNameLower, "(theharvester|crosslinked|linkedint|phoneinfoga|spiderfoot|maltego|linkedin2username|osrframework)")
OR (match(ProcessNameLower, "(python|bash|sh|cmd|powershell)")
AND match(CommandLineLower, "(theharvester|crosslinked|linkedint|recon-ng|spiderfoot|phoneinfoga|littlebrother|osrframework|linkedin2username)")),
1, 0)
| eval DataBrokerRef=if(
match(CommandLineLower, "(hunter\.io|rocketreach\.co|clearbit\.com|apollo\.io|zoominfo\.com|lusha\.com|seamless\.ai|contactout\.com|pipl\.com|kendo\.io|snov\.io|voilanorbert\.com)"),
1, 0)
| eval PersonnelScrapeCmd=if(
match(CommandLineLower, "(/team|/leadership|/executives|/staff|/our-team|/people|/management|/board|/directory|/org-chart)"),
1, 0)
| eval SuspicionScore=OsintToolExec + DataBrokerRef + PersonnelScrapeCmd
| where SuspicionScore > 0
| eval DetectionBranch=case(
OsintToolExec=1, "OSINT_Tool_Execution",
DataBrokerRef=1, "DataBroker_Command_Argument",
PersonnelScrapeCmd=1, "Personnel_Scraping_Command",
true(), "Unknown")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
OsintToolExec, DataBrokerRef, PersonnelScrapeCmd, SuspicionScore, DetectionBranch
| sort - _timeDetects role-identification reconnaissance activity using Sysmon Event ID 1 (Process Creation) logs. Evaluates process image names and command line arguments against three detection categories: known OSINT tool names (theHarvester, CrossLinked, Recon-ng, SpiderFoot, Maltego), data-broker API domain references in command arguments (Hunter.io, Apollo, ZoomInfo, Lusha, etc.), and personnel-page URL path patterns in command lines (/team, /leadership, /executives). Assigns a cumulative suspicion score to allow analysts to prioritize multi-indicator alerts. Confidence is low due to the fundamentally external nature of this PRE-technique.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Security team members or penetration testers running OSINT tools as part of authorized red team engagements or vulnerability assessments
- Recruiting and HR personnel using data-broker tools via command-line scripts or integrations for candidate sourcing workflows
- Threat intelligence analysts running OSINT frameworks (Recon-ng, SpiderFoot) for adversary research as part of their daily threat intel function
- IT automation scripts referencing data-enrichment API endpoints for CRM lead population or sales intelligence workflows
- Web scrapers or crawlers operated by marketing teams that reference personnel page paths in their configurations
Other platforms for T1591.004
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1theHarvester Email and Role Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image containing 'theharvester' or python3 with CommandLine containing 'theharvester -d example.com'. File creation events (Sysmon Event ID 11) for HTML/XML output in /tmp/. Network connections (Sysmon Event ID 3) outbound to bing.com port 443. On Linux: auditd EXECVE records for the theHarvester process with all arguments.
- Test 2CrossLinked LinkedIn Role-Specific Employee Scraping
Expected signal: Sysmon Event ID 1: Process Create for python3/crosslinked with CommandLine containing the target organization string and email format argument. Sysmon Event ID 3: Network connections to linkedin.com port 443. File creation events (Sysmon Event ID 11) for names.txt / names.csv if results are returned. On Linux: auditd EXECVE and CONNECT records for crosslinked process.
- Test 3Hunter.io API Non-Browser Role Contact Enumeration
Expected signal: Sysmon Event ID 3: Network Connection from curl (non-browser) to api.hunter.io port 443. Sysmon Event ID 1: Process Create for curl with CommandLine containing 'api.hunter.io' and 'domain-search'. On Linux: auditd SYSCALL CONNECT and EXECVE records for the curl process.
- Test 4Personnel Page Systematic Scraping Simulation
Expected signal: Sysmon Event ID 1: Multiple Process Create events for curl with sequential CommandLine arguments containing personnel URL paths (/team, /leadership, /executives, etc.). Sysmon Event ID 3: Sequential network connection attempts to 127.0.0.1:8080 (connections will fail if no listener, but the telemetry is still generated). The temporal pattern of requests to multiple personnel-path URLs within seconds is the key detection signal. On Linux: auditd EXECVE records for each curl invocation.
- Test 5Active Directory Privileged Role Enumeration via PowerShell (Post-Compromise)
Expected signal: Security Event ID 4661: Handle to AD group objects requested (Domain Admins, Enterprise Admins, etc.) — requires DS Object Access auditing enabled via Group Policy > Advanced Audit Policy Configuration > DS Access. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ADGroupMember' and the target group names. PowerShell ScriptBlock Log Event ID 4104 with full enumeration script content. Security Event ID 4662: Object operations performed on each AD group object enumerated.
References (12)
- https://attack.mitre.org/techniques/T1591/004/
- https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign
- https://www.clearskysec.com/siamesekitten/
- https://github.com/laramies/theHarvester
- https://github.com/m8sec/CrossLinked
- https://hunter.io/api-documentation/v2
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities
- https://learn.microsoft.com/en-us/graph/api/user-list
- https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/fin7
Unlock Pro Content
Get the full detection package for T1591.004 including response playbook, investigation guide, and atomic red team tests.