Detect Gather Victim Org Information in CrowdStrike LogScale
This detection identifies adversary attempts to gather organizational information about the victim, including employee roles, departmental structure, business operations, and key personnel. Because T1591 is a PRE-ATT&CK technique primarily executed outside the defender's network, direct endpoint telemetry is limited. Detection pivots to observable side-effects: Azure AD and Microsoft Graph API enumeration of users, groups, and org hierarchy; inbound phishing-for-information email patterns; unusual bulk access to internal directories or SharePoint org charts; and outbound access to known OSINT/data-broker platforms (LinkedIn, ZoomInfo, Hunter.io) at volume. These signals correlate with early-stage targeting by threat actors such as APT28, Kimsuky, Lazarus Group, and FIN7, who conduct org reconnaissance prior to tailored spearphishing campaigns.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1591 Gather Victim Org Information
- Canonical reference
- https://attack.mitre.org/techniques/T1591/
LogScale Detection Query
#event_simpleName in ["UserLogon", "UserIdentityUpdate"]
| UserName = /./
| groupBy([UserName, RemoteAddressIP4], function=count(as=EventCount))
| EventCount > 30
| case {
EventCount >= 100 => TechniqueLabel := "T1591 - OrgEnum - High";
EventCount >= 50 => TechniqueLabel := "T1591 - OrgEnum - Medium";
* => TechniqueLabel := "T1591 - OrgEnum - Low"
}
| table([@timestamp, UserName, RemoteAddressIP4, EventCount, TechniqueLabel])CrowdStrike LogScale (Falcon) CQL detection for Gather Victim Org Information (T1591). Uses CrowdStrike event simpleName taxonomy with regex-based field filtering, groupBy aggregation, and case-based risk classification. Designed for the Falcon platform's LogScale query language.
Data Sources
Required Tables
False Positives & Tuning
- IT automation scripts running bulk user provisioning or deprovisioning workflows
- HR system sync tools (Workday, BambooHR) performing scheduled directory synchronization
- Security tools such as Microsoft Entra ID Governance performing access reviews
- PowerShell scripts run by directory administrators for legitimate reporting
Other platforms for T1591
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Azure AD Bulk User Enumeration via Microsoft Graph PowerShell
Expected signal: Azure AD AuditLogs: multiple entries for 'Get users', 'List users', 'Get groups', 'List groups', 'Get directoryRoles' with InitiatedBy set to the test account UPN. Volume should exceed the 30-operation threshold within minutes.
- Test 2OSINT Tool Execution — theHarvester Org Reconnaissance
Expected signal: Outbound HTTP/HTTPS connections to linkedin.com, google.com, bing.com with tool user-agent strings from the attacking host. DNS queries for target domain variations. Proxy logs showing linkedin.com/in/ path access at volume.
- Test 3Social Engineering Email — Org Structure Elicitation (Phishing for Information)
Expected signal: EmailEvents entry with SenderFromDomain=atomictest.invalid, Subject containing 'org chart' and 'reporting structure', DeliveryAction=Delivered. Microsoft Defender for Office 365 may flag based on sender reputation.
References (10)
- https://attack.mitre.org/techniques/T1591/
- https://attack.mitre.org/techniques/T1591/001/
- https://attack.mitre.org/techniques/T1591/002/
- https://attack.mitre.org/techniques/T1591/003/
- https://attack.mitre.org/techniques/T1591/004/
- https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
- https://learn.microsoft.com/en-us/graph/permissions-reference
- https://www.cisa.gov/sites/default/files/2023-01/aa23-025a_joint_csa_understanding_and_mitigating_russian_state-sponsored_cyber_threats_to_us_critical_infrastructure_1.pdf
- https://threatpost.com/broadvoice-leaks-350m-records-exposes-voip-company-client-data/160158/
Unlock Pro Content
Get the full detection package for T1591 including response playbook, investigation guide, and atomic red team tests.