title: Employee Names (T1589.003)
id: df00tech-t1589-003
status: experimental
description: "Adversaries may gather employee names that can be used during targeting. Employee names can be used to derive email addresses as well as to help guide other reconnaissance efforts and craft more-believable lures. Adversaries may easily gather employee names since they may be readily available and exposed via online or other accessible data sets such as social media, LinkedIn, corporate websites, and press releases. Real-world threat actors including Kimsuky, Sandworm Team, and Silent Librarian have been observed collecting victim employee name information to support subsequent phishing campaigns, credential attacks, and social engineering operations. Detection is inherently challenging because this activity primarily occurs outside the victim's environment on public platforms. Effective detection pivots to monitoring organization-owned web properties for automated scraping, tracking OSINT tool execution on monitored endpoints, and identifying downstream artifacts such as systematic user enumeration via authentication systems."
references:
  - https://attack.mitre.org/techniques/T1589/003/
  - https://df00tech.com/detections/T1589.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1589.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Search engine crawlers (Googlebot, Bingbot, AhrefsBot, Semrush) legitimately indexing public team and leadership pages at high rates"
  - "SEO audit tools (Screaming Frog, Sitebulb, DeepCrawl) run by the marketing team performing scheduled site health checks"
  - Authorized penetration testers or red team operators conducting OSINT reconnaissance during an engagement — always verify active SOW coverage
  - "HR and recruiting platforms (LinkedIn Talent Hub, Greenhouse, Lever) that scan competitor or partner employee directories for sourcing"
  - "Business intelligence and lead generation services (ZoomInfo, Lusha, Apollo.io) operating on behalf of sales teams with company-approved subscriptions"
level: medium