title: Identify Roles (T1591.004)
id: df00tech-t1591-004
status: experimental
description: "Adversaries may gather information about identities and roles within the victim organization to support targeting. Role-specific intelligence reveals key personnel — IT administrators, executives, HR, and finance staff — along with their access levels and responsibilities, enabling highly effective spear-phishing, social engineering, and targeted intrusion campaigns. Threat actors including Volt Typhoon, LAPSUS$, FIN7, and HEXANE have used role identification to select high-value targets with privileged access before or during compromise. Detection is fundamentally limited for this PRE-technique because reconnaissance primarily occurs externally via LinkedIn, company websites, OSINT tools, and data-broker APIs, generating no telemetry within the victim environment. Detectable edge cases include: OSINT tool execution on managed endpoints (insider threat or compromised machine being weaponized), connections to data-broker and people-search APIs from corporate networks via non-browser processes, scraping of the organization's own personnel-facing web properties, and post-compromise internal role enumeration via Active Directory LDAP queries or Microsoft Graph API calls targeting role attributes."
references:
  - https://attack.mitre.org/techniques/T1591/004/
  - https://df00tech.com/detections/T1591.004
author: df00tech
date: 2026/03/13
tags:
  - attack.t1591.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Security team members or penetration testers running OSINT tools as part of authorized red team engagements or attack surface assessments
  - "Recruiting and HR personnel using data-broker tools (ZoomInfo, Apollo, Clearbit, Hunter.io) for candidate sourcing via local scripts or integrations rather than browser"
  - "Sales and marketing teams with CRM enrichment integrations (Salesforce, HubSpot) that use contact-data APIs via background processes rather than browser-based access"
  - "Threat intelligence analysts using OSINT frameworks (Recon-ng, SpiderFoot, Maltego) for adversary infrastructure research as part of their daily workflow"
  - IT administrators using LinkedIn2Username or similar tools for authorized user enumeration during security posture assessments
level: medium