Detect Gather Victim Org Information in Microsoft Sentinel
This detection identifies adversary attempts to gather organizational information about the victim, including employee roles, departmental structure, business operations, and key personnel. Because T1591 is a PRE-ATT&CK technique primarily executed outside the defender's network, direct endpoint telemetry is limited. Detection pivots to observable side-effects: Azure AD and Microsoft Graph API enumeration of users, groups, and org hierarchy; inbound phishing-for-information email patterns; unusual bulk access to internal directories or SharePoint org charts; and outbound access to known OSINT/data-broker platforms (LinkedIn, ZoomInfo, Hunter.io) at volume. These signals correlate with early-stage targeting by threat actors such as APT28, Kimsuky, Lazarus Group, and FIN7, who conduct org reconnaissance prior to tailored spearphishing campaigns.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1591 Gather Victim Org Information
- Canonical reference
- https://attack.mitre.org/techniques/T1591/
KQL Detection Query
// T1591 — Gather Victim Org Information
// Detect bulk Azure AD / MS Graph enumeration of org structure (users, groups, roles, org details)
// This pattern indicates an authenticated attacker or compromised account mapping the org before deeper targeting
let LookbackWindow = 1h;
let EnumThreshold = 30;
let DistinctOpThreshold = 3;
AuditLogs
| where TimeGenerated >= ago(LookbackWindow)
| where OperationName in (
"Get users",
"List users",
"Get groups",
"List groups",
"Get members",
"Get organization",
"Get directoryRoles",
"List directoryRoleMembers",
"Get contacts",
"List contacts",
"Get administrativeUnits",
"List administrativeUnits"
)
| where Result == "success"
| extend InitiatorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatorIP = tostring(InitiatedBy.user.ipAddress)
| extend AppDisplayName = tostring(InitiatedBy.app.displayName)
| where isnotempty(InitiatorUPN) or isnotempty(AppDisplayName)
| summarize
OperationCount = count(),
DistinctOperations = dcount(OperationName),
Operations = make_set(OperationName),
DistinctTargets = dcount(tostring(TargetResources)),
EarliestEvent = min(TimeGenerated),
LatestEvent = max(TimeGenerated)
by InitiatorUPN, InitiatorIP, AppDisplayName, bin(TimeGenerated, LookbackWindow)
| where OperationCount >= EnumThreshold or DistinctOperations >= DistinctOpThreshold
| extend RiskScore = case(
OperationCount >= 100 and DistinctOperations >= 5, "High",
OperationCount >= 50 or DistinctOperations >= 4, "Medium",
"Low"
)
| project
TimeGenerated,
InitiatorUPN,
InitiatorIP,
AppDisplayName,
OperationCount,
DistinctOperations,
DistinctTargets,
Operations,
RiskScore,
EarliestEvent,
LatestEvent
| order by OperationCount descDetects bulk enumeration of Azure Active Directory organizational structure via Audit Logs. Adversaries with compromised credentials or OAuth tokens enumerate users, groups, roles, and administrative units to map the target organization before launching tailored spearphishing or lateral movement. Alerts fire when a single initiator performs 30+ org-enumeration operations or 3+ distinct operation types within a 1-hour window.
Data Sources
Required Tables
False Positives & Tuning
- IT automation scripts running bulk user provisioning or deprovisioning workflows
- HR system sync tools (Workday, BambooHR) performing scheduled directory synchronization
- Security tools such as Microsoft Entra ID Governance performing access reviews
- PowerShell scripts run by directory administrators for legitimate reporting
Other platforms for T1591
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Azure AD Bulk User Enumeration via Microsoft Graph PowerShell
Expected signal: Azure AD AuditLogs: multiple entries for 'Get users', 'List users', 'Get groups', 'List groups', 'Get directoryRoles' with InitiatedBy set to the test account UPN. Volume should exceed the 30-operation threshold within minutes.
- Test 2OSINT Tool Execution — theHarvester Org Reconnaissance
Expected signal: Outbound HTTP/HTTPS connections to linkedin.com, google.com, bing.com with tool user-agent strings from the attacking host. DNS queries for target domain variations. Proxy logs showing linkedin.com/in/ path access at volume.
- Test 3Social Engineering Email — Org Structure Elicitation (Phishing for Information)
Expected signal: EmailEvents entry with SenderFromDomain=atomictest.invalid, Subject containing 'org chart' and 'reporting structure', DeliveryAction=Delivered. Microsoft Defender for Office 365 may flag based on sender reputation.
References (10)
- https://attack.mitre.org/techniques/T1591/
- https://attack.mitre.org/techniques/T1591/001/
- https://attack.mitre.org/techniques/T1591/002/
- https://attack.mitre.org/techniques/T1591/003/
- https://attack.mitre.org/techniques/T1591/004/
- https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
- https://learn.microsoft.com/en-us/graph/permissions-reference
- https://www.cisa.gov/sites/default/files/2023-01/aa23-025a_joint_csa_understanding_and_mitigating_russian_state-sponsored_cyber_threats_to_us_critical_infrastructure_1.pdf
- https://threatpost.com/broadvoice-leaks-350m-records-exposes-voip-company-client-data/160158/
Unlock Pro Content
Get the full detection package for T1591 including response playbook, investigation guide, and atomic red team tests.