Detect IP Addresses in Google Chronicle
Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted. Adversaries gather this information via direct collection actions (active scanning, phishing for information) or through online data sets such as WHOIS, ARIN, RIPE, passive DNS repositories, and IP intelligence platforms like Shodan or Censys.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1590 Gather Victim Network Information
- Sub-technique
- T1590.005 IP Addresses
- Canonical reference
- https://attack.mitre.org/techniques/T1590/005/
YARA-L Detection Query
rule t1590_005_ip_address_reconnaissance {
meta:
author = "Detection Engineering"
description = "Detects IP address reconnaissance via OSINT platform web requests, DNS lookups, or network scanning tool execution — T1590.005 IP Addresses"
mitre_attack_tactic = "Reconnaissance"
mitre_attack_technique = "T1590.005"
severity = "MEDIUM"
confidence = "MEDIUM"
reference = "https://attack.mitre.org/techniques/T1590/005/"
events:
(
$e.metadata.event_type = "NETWORK_HTTP" and
re.regex($e.target.hostname,
`(?i)(shodan\.io|censys\.io|ipinfo\.io|ipapi\.co|ip-api\.com|ipwhois\.io|bgp\.he\.net|arin\.net|ripe\.net|apnic\.net|lacnic\.net|afrinic\.net|spyse\.com|fofa\.info|zoomeye\.org|dnsdumpster\.com|hackertarget\.com|viewdns\.info|ipvoid\.com|whatismyipaddress\.com|ip2location\.com|maxmind\.com|greynoise\.io|binaryedge\.io|onyphe\.io)`)
) or
(
$e.metadata.event_type = "NETWORK_DNS" and
re.regex($e.network.dns.questions.name,
`(?i)(shodan\.io|censys\.io|ipinfo\.io|ipapi\.co|ip-api\.com|ipwhois\.io|bgp\.he\.net|arin\.net|ripe\.net|apnic\.net|lacnic\.net|afrinic\.net|spyse\.com|fofa\.info|zoomeye\.org|dnsdumpster\.com|hackertarget\.com|viewdns\.info|ipvoid\.com|whatismyipaddress\.com|ip2location\.com|maxmind\.com|greynoise\.io|binaryedge\.io|onyphe\.io)`)
) or
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
(
re.regex($e.target.process.file.full_path,
`(?i)(nmap|masscan|zmap|theharvester|amass|subfinder|spiderfoot|recon-ng|maltego)(\.exe)?$`) or
re.regex($e.target.process.command_line,
`(?i)(shodan search|censys search|nmap -s[nSp]|masscan --rate|zmap -p|theharvester -d|amass enum|subfinder -d|spiderfoot -s)`)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule covering three UDM event types to detect IP address intelligence gathering. NETWORK_HTTP events match outbound HTTP requests to known IP OSINT platforms via target.hostname regex. NETWORK_DNS events match DNS queries resolving IP intelligence service hostnames, catching lookups before the HTTP connection occurs. PROCESS_LAUNCH events match execution of network reconnaissance tools by file path suffix or command-line argument patterns. Uses UDM field model with re.regex for flexible case-insensitive matching across all three detection branches.
Data Sources
Required Tables
False Positives & Tuning
- Security operations teams performing routine threat intelligence enrichment will generate NETWORK_HTTP and NETWORK_DNS matches against Shodan, Censys, and GreyNoise — maintain a principal.hostname allowlist for SOC workstations and configure a reference list exclusion in the rule condition.
- DNS-over-HTTPS (DoH) clients or recursive corporate DNS resolvers that cache and prefetch responses for IP intelligence service domains will produce NETWORK_DNS events without a corresponding active human-initiated lookup — correlate with NETWORK_HTTP events within a 30-second window to confirm deliberate intent.
- Red team or authorised penetration testing engagements using Amass, Subfinder, or theHarvester against external targets will produce PROCESS_LAUNCH matches — coordinate with engagement scheduling and suppress by principal.hostname for the designated testing host.
- Development environments executing nmap within automated network connectivity tests or infrastructure validation scripts (Ansible, Terraform) will match the PROCESS_LAUNCH branch — filter by target.process.parent.file.full_path for known CI orchestration executables.
Other platforms for T1590.005
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Shodan CLI IP Range Query
Expected signal: DNS query for shodan.io (Sysmon Event ID 22 on Windows / auditd on Linux). Outbound HTTPS connection to shodan.io:443 (Sysmon Event ID 3 / auditd network log). On Linux: auditd EXECVE record for pip and shodan commands. Proxy log entry with cs_host=shodan.io and cs_username if authenticated proxy is in use.
- Test 2ARIN WHOIS IP Block Lookup via curl
Expected signal: DNS resolution of whois.arin.net (Sysmon Event ID 22 / DNS logs). Outbound HTTPS connection to whois.arin.net:443 (Sysmon Event ID 3 / firewall log). HTTP GET request visible in proxy logs with URI path /rest/ip/<target_ip>. On Windows: DeviceNetworkEvents record with RemoteUrl containing 'arin.net'.
- Test 3nmap Ping Sweep of IP Range
Expected signal: Process creation event for nmap with command line containing '-sn' and the target IP range (Sysmon Event ID 1 / auditd EXECVE). File creation event for /tmp/df00tech-nmap-test.xml (Sysmon Event ID 11). ICMP packets visible in network capture or firewall logs (no TCP/UDP — this is ping-only). On Windows: DeviceProcessEvents with FileName='nmap.exe' and ProcessCommandLine containing '-sn'.
- Test 4theHarvester IP and Subdomain Enumeration
Expected signal: Process creation for theHarvester with arguments '-d example.com -b dnsdumpster,bing' (Sysmon Event ID 1 / auditd). Outbound DNS queries and HTTPS connections to dnsdumpster.com and bing.com (Sysmon Event IDs 3, 22). File creation events for /tmp/df00tech-harvester-test.html and /tmp/df00tech-harvester-test.xml. Proxy logs showing connections to dnsdumpster.com with user-agent containing 'theHarvester' or Python requests.
- Test 5BGP.he.net ASN IP Range Discovery
Expected signal: DNS query for bgp.he.net (Sysmon Event ID 22). Outbound HTTPS connection to bgp.he.net:443 (Sysmon Event ID 3 / firewall log). HTTP GET for /AS<number> visible in proxy logs with the target ASN in the URI path. DeviceNetworkEvents record with RemoteUrl containing 'bgp.he.net'.
References (14)
- https://attack.mitre.org/techniques/T1590/005/
- https://www.circl.lu/services/passive-dns/
- https://dnsdumpster.com/
- https://who.is/
- https://www.arin.net/resources/registry/whois/
- https://www.ripe.net/manage-ips-and-asns/
- https://www.shodan.io/
- https://censys.io/
- https://bgp.he.net/
- https://github.com/laramies/theHarvester
- https://nmap.org/docs.html
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-network
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1590.005/T1590.005.md
Unlock Pro Content
Get the full detection package for T1590.005 including response playbook, investigation guide, and atomic red team tests.