Detect Gather Victim Org Information in Splunk
This detection identifies adversary attempts to gather organizational information about the victim, including employee roles, departmental structure, business operations, and key personnel. Because T1591 is a PRE-ATT&CK technique primarily executed outside the defender's network, direct endpoint telemetry is limited. Detection pivots to observable side-effects: Azure AD and Microsoft Graph API enumeration of users, groups, and org hierarchy; inbound phishing-for-information email patterns; unusual bulk access to internal directories or SharePoint org charts; and outbound access to known OSINT/data-broker platforms (LinkedIn, ZoomInfo, Hunter.io) at volume. These signals correlate with early-stage targeting by threat actors such as APT28, Kimsuky, Lazarus Group, and FIN7, who conduct org reconnaissance prior to tailored spearphishing campaigns.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1591 Gather Victim Org Information
- Canonical reference
- https://attack.mitre.org/techniques/T1591/
SPL Detection Query
index=* (sourcetype="ms:aad:audit" OR sourcetype="o365:management:activity" OR sourcetype="azure:aad:audit")
| search OperationName IN ("Get users", "List users", "Get groups", "List groups", "Get members", "Get organization", "Get directoryRoles", "List directoryRoleMembers", "Get contacts", "List contacts")
| eval InitiatorUPN=coalesce('InitiatedBy.user.userPrincipalName', 'UserId', "unknown")
| eval InitiatorIP=coalesce('InitiatedBy.user.ipAddress', 'ClientIP', "unknown")
| eval AppName=coalesce('InitiatedBy.app.displayName', 'ApplicationId', "unknown")
| where ResultStatus="Success" OR ResultStatus="succeeded"
| bin _time span=1h
| stats
count AS OperationCount,
dc(OperationName) AS DistinctOperations,
values(OperationName) AS OperationList,
dc(ObjectId) AS DistinctTargets
by _time, InitiatorUPN, InitiatorIP, AppName
| where OperationCount >= 30 OR DistinctOperations >= 3
| eval RiskScore=case(
OperationCount >= 100 AND DistinctOperations >= 5, "High",
OperationCount >= 50 OR DistinctOperations >= 4, "Medium",
1==1, "Low"
)
| table _time, InitiatorUPN, InitiatorIP, AppName, OperationCount, DistinctOperations, DistinctTargets, OperationList, RiskScore
| sort - OperationCountDetects bulk Azure AD / Office 365 directory enumeration by correlating audit log entries where a single user or application performs high-volume organizational structure queries (users, groups, roles) within a 1-hour window. Uses Azure AD audit sourcetypes available via the Splunk Add-on for Microsoft Cloud Services or the O365 Management Activity API.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Scheduled HR synchronization jobs performing batch user lookups
- IT provisioning automation (ServiceNow, Okta, Sailpoint) syncing directory data
- Microsoft Entra ID Governance access review processes
- Legitimate PowerShell admin scripts run during directory cleanup operations
Other platforms for T1591
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Azure AD Bulk User Enumeration via Microsoft Graph PowerShell
Expected signal: Azure AD AuditLogs: multiple entries for 'Get users', 'List users', 'Get groups', 'List groups', 'Get directoryRoles' with InitiatedBy set to the test account UPN. Volume should exceed the 30-operation threshold within minutes.
- Test 2OSINT Tool Execution — theHarvester Org Reconnaissance
Expected signal: Outbound HTTP/HTTPS connections to linkedin.com, google.com, bing.com with tool user-agent strings from the attacking host. DNS queries for target domain variations. Proxy logs showing linkedin.com/in/ path access at volume.
- Test 3Social Engineering Email — Org Structure Elicitation (Phishing for Information)
Expected signal: EmailEvents entry with SenderFromDomain=atomictest.invalid, Subject containing 'org chart' and 'reporting structure', DeliveryAction=Delivered. Microsoft Defender for Office 365 may flag based on sender reputation.
References (10)
- https://attack.mitre.org/techniques/T1591/
- https://attack.mitre.org/techniques/T1591/001/
- https://attack.mitre.org/techniques/T1591/002/
- https://attack.mitre.org/techniques/T1591/003/
- https://attack.mitre.org/techniques/T1591/004/
- https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
- https://learn.microsoft.com/en-us/graph/permissions-reference
- https://www.cisa.gov/sites/default/files/2023-01/aa23-025a_joint_csa_understanding_and_mitigating_russian_state-sponsored_cyber_threats_to_us_critical_infrastructure_1.pdf
- https://threatpost.com/broadvoice-leaks-350m-records-exposes-voip-company-client-data/160158/
Unlock Pro Content
Get the full detection package for T1591 including response playbook, investigation guide, and atomic red team tests.