Detect Gather Victim Org Information in IBM QRadar
This detection identifies adversary attempts to gather organizational information about the victim, including employee roles, departmental structure, business operations, and key personnel. Because T1591 is a PRE-ATT&CK technique primarily executed outside the defender's network, direct endpoint telemetry is limited. Detection pivots to observable side-effects: Azure AD and Microsoft Graph API enumeration of users, groups, and org hierarchy; inbound phishing-for-information email patterns; unusual bulk access to internal directories or SharePoint org charts; and outbound access to known OSINT/data-broker platforms (LinkedIn, ZoomInfo, Hunter.io) at volume. These signals correlate with early-stage targeting by threat actors such as APT28, Kimsuky, Lazarus Group, and FIN7, who conduct org reconnaissance prior to tailored spearphishing campaigns.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1591 Gather Victim Org Information
- Canonical reference
- https://attack.mitre.org/techniques/T1591/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
LOGSOURCENAME(logsourceid) AS "LogSource",
LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
"username", "sourceip", "destinationip",
"eventid", "deviceaction", "message",
CASE
WHEN LOWER("operationname") ILIKE '%get users%' OR LOWER("operationname") ILIKE '%list groups%' OR LOWER("operationname") ILIKE '%get organization%' OR LOWER("operationname") ILIKE '%get directoryRoles%' THEN 8
ELSE 4
END AS "RiskScore"
FROM events
WHERE (LOWER("operationname") ILIKE '%get users%' OR LOWER("operationname") ILIKE '%list groups%' OR LOWER("operationname") ILIKE '%get organization%' OR LOWER("operationname") ILIKE '%get directoryRoles%')
AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
ORDER BY "RiskScore" DESC, "EventTime" DESC
LAST 24 HOURSQRadar AQL detection for Gather Victim Org Information (T1591). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.
Data Sources
Required Tables
False Positives & Tuning
- IT automation scripts running bulk user provisioning or deprovisioning workflows
- HR system sync tools (Workday, BambooHR) performing scheduled directory synchronization
- Security tools such as Microsoft Entra ID Governance performing access reviews
- PowerShell scripts run by directory administrators for legitimate reporting
Other platforms for T1591
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Azure AD Bulk User Enumeration via Microsoft Graph PowerShell
Expected signal: Azure AD AuditLogs: multiple entries for 'Get users', 'List users', 'Get groups', 'List groups', 'Get directoryRoles' with InitiatedBy set to the test account UPN. Volume should exceed the 30-operation threshold within minutes.
- Test 2OSINT Tool Execution — theHarvester Org Reconnaissance
Expected signal: Outbound HTTP/HTTPS connections to linkedin.com, google.com, bing.com with tool user-agent strings from the attacking host. DNS queries for target domain variations. Proxy logs showing linkedin.com/in/ path access at volume.
- Test 3Social Engineering Email — Org Structure Elicitation (Phishing for Information)
Expected signal: EmailEvents entry with SenderFromDomain=atomictest.invalid, Subject containing 'org chart' and 'reporting structure', DeliveryAction=Delivered. Microsoft Defender for Office 365 may flag based on sender reputation.
References (10)
- https://attack.mitre.org/techniques/T1591/
- https://attack.mitre.org/techniques/T1591/001/
- https://attack.mitre.org/techniques/T1591/002/
- https://attack.mitre.org/techniques/T1591/003/
- https://attack.mitre.org/techniques/T1591/004/
- https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
- https://learn.microsoft.com/en-us/graph/permissions-reference
- https://www.cisa.gov/sites/default/files/2023-01/aa23-025a_joint_csa_understanding_and_mitigating_russian_state-sponsored_cyber_threats_to_us_critical_infrastructure_1.pdf
- https://threatpost.com/broadvoice-leaks-350m-records-exposes-voip-company-client-data/160158/
Unlock Pro Content
Get the full detection package for T1591 including response playbook, investigation guide, and atomic red team tests.