T1590.005 Elastic Security · Elastic

Detect IP Addresses in Elastic Security

Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted. Adversaries gather this information via direct collection actions (active scanning, phishing for information) or through online data sets such as WHOIS, ARIN, RIPE, passive DNS repositories, and IP intelligence platforms like Shodan or Censys.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1590 Gather Victim Network Information
Sub-technique
T1590.005 IP Addresses
Canonical reference
https://attack.mitre.org/techniques/T1590/005/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    event.category == "network" and
    destination.domain in~ ("shodan.io", "censys.io", "ipinfo.io", "ipapi.co",
      "ip-api.com", "ipwhois.io", "bgp.he.net", "arin.net", "ripe.net",
      "apnic.net", "lacnic.net", "afrinic.net", "spyse.com", "fofa.info",
      "zoomeye.org", "dnsdumpster.com", "hackertarget.com", "viewdns.info",
      "ipvoid.com", "whatismyipaddress.com", "ip2location.com", "maxmind.com",
      "greynoise.io", "binaryedge.io", "onyphe.io")
  ) or
  (
    event.category == "process" and event.type == "start" and
    (
      process.name in~ ("nmap.exe", "nmap", "masscan.exe", "masscan",
        "zmap.exe", "zmap", "theharvester.exe", "theharvester",
        "amass.exe", "amass", "subfinder.exe", "subfinder",
        "spiderfoot.exe", "spiderfoot", "recon-ng") or
      process.command_line like~ "*shodan search*" or
      process.command_line like~ "*censys search*" or
      process.command_line like~ "*nmap -sn*" or
      process.command_line like~ "*nmap -p*" or
      process.command_line like~ "*masscan --rate*" or
      process.command_line like~ "*theharvester -d*" or
      process.command_line like~ "*amass enum*" or
      process.command_line like~ "*subfinder -d*"
    )
  )
medium severity medium confidence

Detects IP address intelligence gathering (T1590.005) via two branches: (1) outbound network connections from managed endpoints to known IP OSINT and intelligence platforms such as Shodan, Censys, ARIN, RIPE, and GreyNoise; (2) execution of active network reconnaissance tools including nmap, masscan, zmap, theHarvester, Amass, and Subfinder. Covers browser-based OSINT lookups, API calls to IP data services, and direct tool invocation from managed endpoints. Uses Elastic Common Schema (ECS) fields destination.domain and process.command_line across endpoint and network telemetry indices.

Data Sources

Elastic Agent Endpoint Security integration (process and network events)Elastic Agent Network Packet Capture or Zeek/Bro integrationWinlogbeat or Elastic Agent collecting Windows Sysmon EventCode 1 and 3Packetbeat for HTTP layer network metadata

Required Tables

logs-endpoint.events.network-*logs-endpoint.events.process-*logs-network_traffic.*logs-system.security-*

False Positives & Tuning

  • Security operations and threat intelligence analysts routinely query Shodan, Censys, GreyNoise, and ARIN for exposure assessments and IOC enrichment — allowlist by host.name or user.name for known SOC workstations and analyst accounts.
  • IT asset management platforms such as Qualys, Tenable Nessus, and Rapid7 InsightVM may call ip-api.com, ipinfo.io, or MaxMind GeoIP APIs to enrich discovered host records or determine geolocation — filter by the platform's service account or source host.
  • Legitimate penetration testing engagements or red team exercises running nmap, masscan, Amass, or Subfinder on managed endpoints will generate process.name matches — correlate against the security team's engagement calendar and suppress by host.name during authorised windows.
  • Development and QA pipelines running nmap as part of network connectivity validation or infrastructure smoke tests in CI/CD environments will produce process.type start events — filter by process.parent.name for known CI agent process names such as jenkins, gitlab-runner, or buildkite-agent.
Download portable Sigma rule (.yml)

Other platforms for T1590.005

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Shodan CLI IP Range Query

    Expected signal: DNS query for shodan.io (Sysmon Event ID 22 on Windows / auditd on Linux). Outbound HTTPS connection to shodan.io:443 (Sysmon Event ID 3 / auditd network log). On Linux: auditd EXECVE record for pip and shodan commands. Proxy log entry with cs_host=shodan.io and cs_username if authenticated proxy is in use.

  2. Test 2ARIN WHOIS IP Block Lookup via curl

    Expected signal: DNS resolution of whois.arin.net (Sysmon Event ID 22 / DNS logs). Outbound HTTPS connection to whois.arin.net:443 (Sysmon Event ID 3 / firewall log). HTTP GET request visible in proxy logs with URI path /rest/ip/<target_ip>. On Windows: DeviceNetworkEvents record with RemoteUrl containing 'arin.net'.

  3. Test 3nmap Ping Sweep of IP Range

    Expected signal: Process creation event for nmap with command line containing '-sn' and the target IP range (Sysmon Event ID 1 / auditd EXECVE). File creation event for /tmp/df00tech-nmap-test.xml (Sysmon Event ID 11). ICMP packets visible in network capture or firewall logs (no TCP/UDP — this is ping-only). On Windows: DeviceProcessEvents with FileName='nmap.exe' and ProcessCommandLine containing '-sn'.

  4. Test 4theHarvester IP and Subdomain Enumeration

    Expected signal: Process creation for theHarvester with arguments '-d example.com -b dnsdumpster,bing' (Sysmon Event ID 1 / auditd). Outbound DNS queries and HTTPS connections to dnsdumpster.com and bing.com (Sysmon Event IDs 3, 22). File creation events for /tmp/df00tech-harvester-test.html and /tmp/df00tech-harvester-test.xml. Proxy logs showing connections to dnsdumpster.com with user-agent containing 'theHarvester' or Python requests.

  5. Test 5BGP.he.net ASN IP Range Discovery

    Expected signal: DNS query for bgp.he.net (Sysmon Event ID 22). Outbound HTTPS connection to bgp.he.net:443 (Sysmon Event ID 3 / firewall log). HTTP GET for /AS<number> visible in proxy logs with the target ASN in the URI path. DeviceNetworkEvents record with RemoteUrl containing 'bgp.he.net'.

Last updated: 2026-04-14 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1590.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.001Domain PropertiesT1590.002DNST1590.003Network Trust DependenciesT1590.004Network TopologyT1590.006Network Security Appliances

Related Techniques

T1590Gather Victim Network InformationT1590.002DNST1595Active ScanningT1595.001Scanning IP BlocksT1596.002WHOIST1596.001DNS/Passive DNST1593Search Open Websites/DomainsT1596.003Digital CertificatesT1133External Remote ServicesT1583Acquire Infrastructure

Same Tactic: Reconnaissance

Popular Detections