T1590.005

IP Addresses

Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted. Adversaries gather this information via direct collection actions (active scanning, phishing for information) or through online data sets such as WHOIS, ARIN, RIPE, passive DNS repositories, and IP intelligence platforms like Shodan or Censys.

Microsoft Sentinel / Defender

kusto

let IPIntelServices = dynamic([
  "shodan.io", "censys.io", "ipinfo.io", "ipapi.co", "ip-api.com",
  "ipwhois.io", "bgp.he.net", "arin.net", "ripe.net", "apnic.net",
  "lacnic.net", "afrinic.net", "spyse.com", "fofa.info", "zoomeye.org",
  "dnsdumpster.com", "hackertarget.com", "viewdns.info", "ipvoid.com",
  "whatismyipaddress.com", "ip2location.com", "maxmind.com", "greynoise.io",
  "binaryedge.io", "onyphe.io"
]);
let OSINTTools = dynamic([
  "nmap", "masscan", "zmap", "theharvester", "recon-ng", "maltego",
  "shodan", "censys", "spiderfoot", "amass", "subfinder"
]);
// Branch 1: Outbound connections from managed endpoints to IP intelligence platforms
let EndpointIPIntel = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType in ("ConnectionSuccess", "ConnectionAttempt")
| where RemoteUrl has_any (IPIntelServices)
    or RemoteIPType == "Public" and (RemoteUrl has "whois" or RemoteUrl has "ipinfo" or RemoteUrl has "bgp")
| extend DetectionBranch = "EndpointIPIntelLookup"
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemoteIP, RemotePort,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 2: OSINT tool execution on managed endpoints (insider threat / compromised endpoint)
let OSINTToolExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (OSINTTools)
    or ProcessCommandLine has_any (OSINTTools)
    or ProcessCommandLine has_any ("nmap -sn", "nmap -p", "masscan --rate", "zmap -p",
                                    "theharvester -d", "amass enum", "subfinder -d",
                                    "shodan search", "censys search", "spiderfoot -s")
| extend DetectionBranch = "OSINTToolOnEndpoint"
| project Timestamp = Timestamp, DeviceName, AccountName,
         RemoteUrl = "", RemoteIP = "", RemotePort = int(0),
         InitiatingProcessFileName, InitiatingProcessCommandLine = ProcessCommandLine,
         DetectionBranch;
union EndpointIPIntel, OSINTToolExec
| sort by Timestamp desc

low severity low confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

Security analysts and threat intelligence teams routinely query Shodan, Censys, ARIN, and RIPE to assess the organization's external attack surface — this is expected and should be allowlisted by user/device
Network engineers using nmap or masscan for authorized internal network discovery and asset inventory
Penetration testers performing authorized external assessments will use all of these tools and services legitimately
IT and DevOps staff querying ipinfo.io or similar APIs in automation scripts to geolocate user traffic or validate IP addresses

Splunk

spl

| multisearch
  [ search index=proxy sourcetype=bluecoat OR sourcetype=squid OR sourcetype="cisco:esa" OR sourcetype="pan:traffic"
    (cs_host="shodan.io" OR cs_host="censys.io" OR cs_host="ipinfo.io" OR cs_host="ipapi.co"
     OR cs_host="ip-api.com" OR cs_host="bgp.he.net" OR cs_host="arin.net" OR cs_host="ripe.net"
     OR cs_host="apnic.net" OR cs_host="lacnic.net" OR cs_host="afrinic.net" OR cs_host="spyse.com"
     OR cs_host="fofa.info" OR cs_host="zoomeye.org" OR cs_host="dnsdumpster.com"
     OR cs_host="hackertarget.com" OR cs_host="viewdns.info" OR cs_host="ipvoid.com"
     OR cs_host="binaryedge.io" OR cs_host="greynoise.io" OR cs_host="onyphe.io")
    | eval DetectionBranch="ProxyIPIntelLookup"
    | eval ToolOrDomain=cs_host
    | eval UserOrAccount=cs_username ]
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\nmap.exe" OR Image="*\\masscan.exe" OR Image="*\\zmap.exe"
     OR Image="*\\theharvester.exe" OR Image="*\\amass.exe" OR Image="*\\subfinder.exe"
     OR CommandLine="*shodan search*" OR CommandLine="*censys search*"
     OR CommandLine="*nmap -sn*" OR CommandLine="*nmap -p*" OR CommandLine="*masscan --rate*"
     OR CommandLine="*spiderfoot*" OR CommandLine="*recon-ng*")
    | eval DetectionBranch="OSINTToolEndpoint"
    | eval ToolOrDomain=Image
    | eval UserOrAccount=User ]
| eval src_ip=coalesce(c_ip, src_ip)
| eval dest_host=coalesce(cs_host, ToolOrDomain)
| table _time, host, UserOrAccount, src_ip, dest_host, CommandLine, DetectionBranch
| sort - _time

low severity low confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Web Proxy Logs Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational bluecoat squid

False Positives

Security operations and threat intelligence analysts querying Shodan, Censys, ARIN, and RIPE as part of daily attack surface monitoring duties
Network engineers running nmap or masscan scans during authorized change windows for asset discovery
Red team and penetration testers conducting authorized engagements — coordinate with testing calendar to suppress alerts during assessment windows
Developers and DevOps engineers embedding IP geolocation API calls (ipinfo.io, ip-api.com) in application code or deployment scripts

Elastic Security (EQL)

eql

any where
  (
    event.category == "network" and
    destination.domain in~ ("shodan.io", "censys.io", "ipinfo.io", "ipapi.co",
      "ip-api.com", "ipwhois.io", "bgp.he.net", "arin.net", "ripe.net",
      "apnic.net", "lacnic.net", "afrinic.net", "spyse.com", "fofa.info",
      "zoomeye.org", "dnsdumpster.com", "hackertarget.com", "viewdns.info",
      "ipvoid.com", "whatismyipaddress.com", "ip2location.com", "maxmind.com",
      "greynoise.io", "binaryedge.io", "onyphe.io")
  ) or
  (
    event.category == "process" and event.type == "start" and
    (
      process.name in~ ("nmap.exe", "nmap", "masscan.exe", "masscan",
        "zmap.exe", "zmap", "theharvester.exe", "theharvester",
        "amass.exe", "amass", "subfinder.exe", "subfinder",
        "spiderfoot.exe", "spiderfoot", "recon-ng") or
      process.command_line like~ "*shodan search*" or
      process.command_line like~ "*censys search*" or
      process.command_line like~ "*nmap -sn*" or
      process.command_line like~ "*nmap -p*" or
      process.command_line like~ "*masscan --rate*" or
      process.command_line like~ "*theharvester -d*" or
      process.command_line like~ "*amass enum*" or
      process.command_line like~ "*subfinder -d*"
    )
  )

medium severity medium confidence

Data Sources

Elastic Agent Endpoint Security integration (process and network events) Elastic Agent Network Packet Capture or Zeek/Bro integration Winlogbeat or Elastic Agent collecting Windows Sysmon EventCode 1 and 3 Packetbeat for HTTP layer network metadata

Required Tables

logs-endpoint.events.network-* logs-endpoint.events.process-* logs-network_traffic.* logs-system.security-*

False Positives

Security operations and threat intelligence analysts routinely query Shodan, Censys, GreyNoise, and ARIN for exposure assessments and IOC enrichment — allowlist by host.name or user.name for known SOC workstations and analyst accounts.
IT asset management platforms such as Qualys, Tenable Nessus, and Rapid7 InsightVM may call ip-api.com, ipinfo.io, or MaxMind GeoIP APIs to enrich discovered host records or determine geolocation — filter by the platform's service account or source host.
Legitimate penetration testing engagements or red team exercises running nmap, masscan, Amass, or Subfinder on managed endpoints will generate process.name matches — correlate against the security team's engagement calendar and suppress by host.name during authorised windows.
Development and QA pipelines running nmap as part of network connectivity validation or infrastructure smoke tests in CI/CD environments will produce process.type start events — filter by process.parent.name for known CI agent process names such as jenkins, gitlab-runner, or buildkite-agent.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  destinationip,
  username,
  URL AS request_url,
  "CommandLine" AS process_commandline,
  QIDNAME(qid) AS event_name,
  CASE
    WHEN URL IS NOT NULL AND URL != '' THEN 'IPIntelWebRequest'
    ELSE 'OSINTToolExecution'
  END AS detection_branch
FROM events
WHERE
  URL ILIKE '%shodan.io%' OR URL ILIKE '%censys.io%' OR URL ILIKE '%ipinfo.io%' OR
  URL ILIKE '%ipapi.co%' OR URL ILIKE '%ip-api.com%' OR URL ILIKE '%bgp.he.net%' OR
  URL ILIKE '%arin.net%' OR URL ILIKE '%ripe.net%' OR URL ILIKE '%apnic.net%' OR
  URL ILIKE '%lacnic.net%' OR URL ILIKE '%afrinic.net%' OR URL ILIKE '%spyse.com%' OR
  URL ILIKE '%fofa.info%' OR URL ILIKE '%zoomeye.org%' OR URL ILIKE '%dnsdumpster.com%' OR
  URL ILIKE '%hackertarget.com%' OR URL ILIKE '%viewdns.info%' OR URL ILIKE '%ipvoid.com%' OR
  URL ILIKE '%binaryedge.io%' OR URL ILIKE '%greynoise.io%' OR URL ILIKE '%onyphe.io%' OR
  "CommandLine" ILIKE '%nmap%' OR "CommandLine" ILIKE '%masscan%' OR
  "CommandLine" ILIKE '%zmap -p%' OR "CommandLine" ILIKE '%theharvester%' OR
  "CommandLine" ILIKE '%amass enum%' OR "CommandLine" ILIKE '%subfinder -d%' OR
  "CommandLine" ILIKE '%shodan search%' OR "CommandLine" ILIKE '%censys search%' OR
  "CommandLine" ILIKE '%spiderfoot%' OR "CommandLine" ILIKE '%recon-ng%'
ORDER BY devicetime DESC
LAST 24 HOURS

medium severity medium confidence

Data Sources

Blue Coat ProxySG / Web Gateway (DSM) Squid Proxy (DSM) Palo Alto Networks Firewall (DSM) Zscaler Internet Access (DSM) Microsoft Windows Security Event Log (DSM) Microsoft Sysmon (DSM with CommandLine custom property configured)

Required Tables

events

False Positives

Analysts querying Shodan, Censys, ARIN, or RIPE via browser or CLI from SOC workstations will produce URL hits — allowlist by sourceip for known analyst IP ranges or add a username exclusion list for the threat intelligence team.
The CommandLine custom event property must be validated in the Sysmon DSM before relying on process-based detections; if the property is not mapped, the OSINT tool branch silently produces zero results — verify property mapping in the QRadar Admin DSM editor.
Vulnerability management scanners (Qualys, Tenable, Rapid7) performing lightweight host discovery that call ip-api.com or MaxMind APIs for geolocation enrichment will generate repeated URL matches — suppress by sourceip for the scanner's dedicated host.
Automated SOAR playbooks or enrichment scripts querying ipinfo.io or ip-api.com APIs via HTTP for alert triage will produce URL hits with high frequency — filter by destinationip if the API endpoint resolves to a known stable IP or by username for the SOAR service account.

Sumo Logic CSE

sql

(_sourceCategory=*proxy* OR _sourceCategory=*web/gateway* OR _sourceCategory=*endpoint/windows* OR _sourceCategory=*sysmon*)
| where (http_hostname in ("shodan.io", "censys.io", "ipinfo.io", "ipapi.co",
    "ip-api.com", "ipwhois.io", "bgp.he.net", "arin.net", "ripe.net",
    "apnic.net", "lacnic.net", "afrinic.net", "spyse.com", "fofa.info",
    "zoomeye.org", "dnsdumpster.com", "hackertarget.com", "viewdns.info",
    "ipvoid.com", "whatismyipaddress.com", "ip2location.com", "maxmind.com",
    "greynoise.io", "binaryedge.io", "onyphe.io"))
  OR (baseImage matches "*nmap*" OR baseImage matches "*masscan*" OR baseImage matches "*zmap*"
    OR baseImage matches "*theharvester*" OR baseImage matches "*amass*"
    OR baseImage matches "*subfinder*" OR baseImage matches "*spiderfoot*"
    OR baseImage matches "*recon-ng*")
  OR (commandLine matches "*shodan search*" OR commandLine matches "*censys search*"
    OR commandLine matches "*nmap -sn*" OR commandLine matches "*masscan --rate*"
    OR commandLine matches "*theharvester -d*" OR commandLine matches "*amass enum*"
    OR commandLine matches "*subfinder -d*")
| if(!isEmpty(http_hostname), "IPIntelWebRequest", "OSINTToolExecution") as detection_branch
| fields _messagetime, srcDevice_hostname, dstDevice_hostname, user_username,
    http_hostname, http_url, baseImage, commandLine, detection_branch
| sort by _messagetime desc

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise (CSE) normalised records Proxy logs via Sumo Logic Installed Collector or OpenTelemetry agent (Blue Coat, Squid, Zscaler) Windows Sysmon via Sumo Logic Installed Collector with _sourceCategory=*sysmon* Palo Alto Networks firewall URL filtering logs

Required Tables

Sumo Logic CSE normalised schema with http_hostname field (from proxy/firewall sources) Sumo Logic CSE normalised schema with baseImage and commandLine fields (from Sysmon EventCode 1) _sourceCategory=*proxy* or *web/gateway* _sourceCategory=*endpoint/windows* or *sysmon*

False Positives

Security engineers or pentesters running theHarvester, Amass, or Subfinder for authorised external recon against the organisation's own domains will trigger the OSINTToolExecution branch — cross-reference with the security engagement calendar and suppress by srcDevice_hostname for the authorised testing asset.
MaxMind GeoIP lookups embedded in web application frameworks, CDN edge nodes, or cloud services generate outbound connections to maxmind.com for request geolocation — these are expected and high-volume; filter by srcDevice_hostname or user_username for known application service accounts.
Browser-based navigation to arin.net, ripe.net, or bgp.he.net by any user for BGP route lookups or IP ownership research will produce http_hostname hits — tune by correlating with the baseImage field to restrict to non-browser parent processes, or add user_username exclusions for network engineering teams.
Automated infrastructure-as-code validation pipelines (Terraform, Ansible, Pulumi) that run nmap for connectivity checks during environment provisioning will match baseImage patterns — filter by commandLine prefix for known provisioning tool parent process names.

Google Chronicle / SecOps

yaral

rule t1590_005_ip_address_reconnaissance {
  meta:
    author = "Detection Engineering"
    description = "Detects IP address reconnaissance via OSINT platform web requests, DNS lookups, or network scanning tool execution — T1590.005 IP Addresses"
    mitre_attack_tactic = "Reconnaissance"
    mitre_attack_technique = "T1590.005"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1590/005/"

  events:
    (
      $e.metadata.event_type = "NETWORK_HTTP" and
      re.regex($e.target.hostname,
        `(?i)(shodan\.io|censys\.io|ipinfo\.io|ipapi\.co|ip-api\.com|ipwhois\.io|bgp\.he\.net|arin\.net|ripe\.net|apnic\.net|lacnic\.net|afrinic\.net|spyse\.com|fofa\.info|zoomeye\.org|dnsdumpster\.com|hackertarget\.com|viewdns\.info|ipvoid\.com|whatismyipaddress\.com|ip2location\.com|maxmind\.com|greynoise\.io|binaryedge\.io|onyphe\.io)`)
    ) or
    (
      $e.metadata.event_type = "NETWORK_DNS" and
      re.regex($e.network.dns.questions.name,
        `(?i)(shodan\.io|censys\.io|ipinfo\.io|ipapi\.co|ip-api\.com|ipwhois\.io|bgp\.he\.net|arin\.net|ripe\.net|apnic\.net|lacnic\.net|afrinic\.net|spyse\.com|fofa\.info|zoomeye\.org|dnsdumpster\.com|hackertarget\.com|viewdns\.info|ipvoid\.com|whatismyipaddress\.com|ip2location\.com|maxmind\.com|greynoise\.io|binaryedge\.io|onyphe\.io)`)
    ) or
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        re.regex($e.target.process.file.full_path,
          `(?i)(nmap|masscan|zmap|theharvester|amass|subfinder|spiderfoot|recon-ng|maltego)(\.exe)?$`) or
        re.regex($e.target.process.command_line,
          `(?i)(shodan search|censys search|nmap -s[nSp]|masscan --rate|zmap -p|theharvester -d|amass enum|subfinder -d|spiderfoot -s)`)
      )
    )

  condition:
    $e
}

medium severity medium confidence

Data Sources

Chronicle UDM (Unified Data Model) Network proxy or web gateway logs ingested to Chronicle producing NETWORK_HTTP events DNS resolver or firewall DNS logs ingested to Chronicle producing NETWORK_DNS events Windows endpoint agent, Sysmon, or CrowdStrike logs ingested to Chronicle producing PROCESS_LAUNCH events

Required Tables

UDM NETWORK_HTTP events with target.hostname populated UDM NETWORK_DNS events with network.dns.questions.name populated UDM PROCESS_LAUNCH events with target.process.file.full_path and target.process.command_line populated

False Positives

Security operations teams performing routine threat intelligence enrichment will generate NETWORK_HTTP and NETWORK_DNS matches against Shodan, Censys, and GreyNoise — maintain a principal.hostname allowlist for SOC workstations and configure a reference list exclusion in the rule condition.
DNS-over-HTTPS (DoH) clients or recursive corporate DNS resolvers that cache and prefetch responses for IP intelligence service domains will produce NETWORK_DNS events without a corresponding active human-initiated lookup — correlate with NETWORK_HTTP events within a 30-second window to confirm deliberate intent.
Red team or authorised penetration testing engagements using Amass, Subfinder, or theHarvester against external targets will produce PROCESS_LAUNCH matches — coordinate with engagement scheduling and suppress by principal.hostname for the designated testing host.
Development environments executing nmap within automated network connectivity tests or infrastructure validation scripts (Ansible, Terraform) will match the PROCESS_LAUNCH branch — filter by target.process.parent.file.full_path for known CI orchestration executables.

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(ProcessRollup2|DnsRequest|NetworkConnectIP4)$/
| case {
    #event_simpleName = "ProcessRollup2"
    and (
      ImageFileName = /(?i)(nmap|masscan|zmap|theharvester|amass|subfinder|spiderfoot|recon-ng)((\.exe)?)$/
      or CommandLine = /(?i)(shodan\s+search|censys\s+search|nmap\s+-s[nSp]|masscan\s+--rate|zmap\s+-p|theharvester\s+-d|amass\s+enum|subfinder\s+-d|spiderfoot\s+-s)/
    )
    => DetectionBranch := "OSINTToolExecution";

    #event_simpleName = "DnsRequest"
    and DomainName = /(?i)(shodan\.io|censys\.io|ipinfo\.io|ipapi\.co|ip-api\.com|ipwhois\.io|bgp\.he\.net|arin\.net|ripe\.net|apnic\.net|lacnic\.net|afrinic\.net|spyse\.com|fofa\.info|zoomeye\.org|dnsdumpster\.com|hackertarget\.com|viewdns\.info|ipvoid\.com|whatismyipaddress\.com|ip2location\.com|maxmind\.com|greynoise\.io|binaryedge\.io|onyphe\.io)/
    => DetectionBranch := "IPIntelDNSLookup";

    #event_simpleName = "NetworkConnectIP4"
    and RemotePort in [80, 443]
    and ContextProcessName = /(?i)(nmap|masscan|zmap|curl|wget|python[23]?|powershell)/
    => DetectionBranch := "OSINTNetworkConnect";

    * => drop();
  }
| table([#event_simpleName, ComputerName, UserName, ImageFileName, CommandLine,
    DomainName, RemoteAddressIP4, RemotePort, ContextProcessName, DetectionBranch, @timestamp])
| sort(@timestamp, order=desc)

medium severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (Endpoint Activity Monitor — EAM telemetry) CrowdStrike Falcon Data Replicator (FDR) streaming to LogScale CrowdStrike Falcon Event Stream API

Required Tables

ProcessRollup2 DnsRequest NetworkConnectIP4

False Positives

Falcon sensor telemetry from security operations workstations will produce DnsRequest hits for Shodan, Censys, and GreyNoise lookups performed by analysts during threat investigations — suppress by ComputerName using a reference list of known SOC asset hostnames.
Legitimate IT asset management tools such as Tenable Nessus or Rapid7 InsightVM use nmap-compatible discovery engine binaries that will match the ProcessRollup2 ImageFileName regex — add a ComputerName exclusion for the dedicated scanner hosts or filter by UserName for the scanner service account.
Python or PowerShell scripts used by SOAR platforms for IP reputation enrichment (querying ipinfo.io or ip-api.com) will match the NetworkConnectIP4 branch when ContextProcessName is python or powershell — filter by CommandLine prefix for the SOAR enrichment script path or by the parent process PPID.
Browser DNS prefetching on managed endpoints may produce DnsRequest events for IP intelligence domains previously visited without any current active lookup — correlate with a ProcessRollup2 event for a non-browser process within a 60-second window to reduce browser-originated noise.

Last updated: 2026-04-14 Research depth: deep

References (14)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1590.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.001Domain Properties T1590.002DNS T1590.003Network Trust Dependencies T1590.004Network Topology T1590.006Network Security Appliances

IP Addresses

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections