title: Gather Victim Org Information (T1591)
id: df00tech-t1591
status: experimental
description: "This detection identifies adversary attempts to gather organizational information about the victim, including employee roles, departmental structure, business operations, and key personnel. Because T1591 is a PRE-ATT&CK technique primarily executed outside the defender's network, direct endpoint telemetry is limited. Detection pivots to observable side-effects: Azure AD and Microsoft Graph API enumeration of users, groups, and org hierarchy; inbound phishing-for-information email patterns; unusual bulk access to internal directories or SharePoint org charts; and outbound access to known OSINT/data-broker platforms (LinkedIn, ZoomInfo, Hunter.io) at volume. These signals correlate with early-stage targeting by threat actors such as APT28, Kimsuky, Lazarus Group, and FIN7, who conduct org reconnaissance prior to tailored spearphishing campaigns."
references:
  - https://attack.mitre.org/techniques/T1591/
  - https://df00tech.com/detections/T1591
author: df00tech
date: 2026/03/20
tags:
  - attack.t1591
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT automation scripts running bulk user provisioning or deprovisioning workflows
  - "HR system sync tools (Workday, BambooHR) performing scheduled directory synchronization"
  - Security tools such as Microsoft Entra ID Governance performing access reviews
  - PowerShell scripts run by directory administrators for legitimate reporting
level: high