title: Business Relationships (T1591.002)
id: df00tech-t1591-002
status: experimental
description: "Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization's business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim's hardware and software resources. Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Supply Chain Compromise, Drive-by Compromise, or Trusted Relationship). Real-world actors including Dragonfly, LAPSUS$, and Sandworm Team have used this technique to map organizational supply chains and partner relationships as precursors to targeted attacks."
references:
  - https://attack.mitre.org/techniques/T1591/002/
  - https://df00tech.com/detections/T1591.002
author: df00tech
date: 2026/03/13
tags:
  - attack.t1591.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Security researchers or red team operators running authorized OSINT assessments on managed endpoints without pre-authorizing the tool names
  - "Legitimate SEO crawlers (Googlebot, Bingbot, SemRush, Ahrefs) generating high-volume access to partner/client pages — these will dominate WAF logs and must be allow-listed by user-agent and known IP range"
  - Internal marketing or business development staff using tools like Hunter.io browser extensions or LinkedIn Sales Navigator integrations that trigger OSINT tool heuristics
  - Automated monitoring or uptime-check services that repeatedly fetch partner listing pages as part of website availability monitoring
  - "IT asset management or third-party risk management platforms (BitSight, SecurityScorecard, RiskRecon) that legitimately scrape public partner/vendor pages for continuous monitoring"
level: medium