Detect IP Addresses in CrowdStrike LogScale
Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted. Adversaries gather this information via direct collection actions (active scanning, phishing for information) or through online data sets such as WHOIS, ARIN, RIPE, passive DNS repositories, and IP intelligence platforms like Shodan or Censys.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1590 Gather Victim Network Information
- Sub-technique
- T1590.005 IP Addresses
- Canonical reference
- https://attack.mitre.org/techniques/T1590/005/
LogScale Detection Query
#event_simpleName = /^(ProcessRollup2|DnsRequest|NetworkConnectIP4)$/
| case {
#event_simpleName = "ProcessRollup2"
and (
ImageFileName = /(?i)(nmap|masscan|zmap|theharvester|amass|subfinder|spiderfoot|recon-ng)((\.exe)?)$/
or CommandLine = /(?i)(shodan\s+search|censys\s+search|nmap\s+-s[nSp]|masscan\s+--rate|zmap\s+-p|theharvester\s+-d|amass\s+enum|subfinder\s+-d|spiderfoot\s+-s)/
)
=> DetectionBranch := "OSINTToolExecution";
#event_simpleName = "DnsRequest"
and DomainName = /(?i)(shodan\.io|censys\.io|ipinfo\.io|ipapi\.co|ip-api\.com|ipwhois\.io|bgp\.he\.net|arin\.net|ripe\.net|apnic\.net|lacnic\.net|afrinic\.net|spyse\.com|fofa\.info|zoomeye\.org|dnsdumpster\.com|hackertarget\.com|viewdns\.info|ipvoid\.com|whatismyipaddress\.com|ip2location\.com|maxmind\.com|greynoise\.io|binaryedge\.io|onyphe\.io)/
=> DetectionBranch := "IPIntelDNSLookup";
#event_simpleName = "NetworkConnectIP4"
and RemotePort in [80, 443]
and ContextProcessName = /(?i)(nmap|masscan|zmap|curl|wget|python[23]?|powershell)/
=> DetectionBranch := "OSINTNetworkConnect";
* => drop();
}
| table([#event_simpleName, ComputerName, UserName, ImageFileName, CommandLine,
DomainName, RemoteAddressIP4, RemotePort, ContextProcessName, DetectionBranch, @timestamp])
| sort(@timestamp, order=desc)CrowdStrike LogScale CQL query covering three Falcon telemetry event types. ProcessRollup2 events match endpoint process execution where ImageFileName matches known OSINT and network reconnaissance tool names or CommandLine contains characteristic argument patterns (shodan search, censys search, amass enum, etc.). DnsRequest events detect DNS queries from managed endpoints resolving IP intelligence platform hostnames, providing pre-connection visibility. NetworkConnectIP4 events detect outbound TCP connections to HTTP/HTTPS ports from processes associated with reconnaissance tooling. CQL case branching assigns a DetectionBranch label for analyst triage and suppresses unmatched events.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor telemetry from security operations workstations will produce DnsRequest hits for Shodan, Censys, and GreyNoise lookups performed by analysts during threat investigations — suppress by ComputerName using a reference list of known SOC asset hostnames.
- Legitimate IT asset management tools such as Tenable Nessus or Rapid7 InsightVM use nmap-compatible discovery engine binaries that will match the ProcessRollup2 ImageFileName regex — add a ComputerName exclusion for the dedicated scanner hosts or filter by UserName for the scanner service account.
- Python or PowerShell scripts used by SOAR platforms for IP reputation enrichment (querying ipinfo.io or ip-api.com) will match the NetworkConnectIP4 branch when ContextProcessName is python or powershell — filter by CommandLine prefix for the SOAR enrichment script path or by the parent process PPID.
- Browser DNS prefetching on managed endpoints may produce DnsRequest events for IP intelligence domains previously visited without any current active lookup — correlate with a ProcessRollup2 event for a non-browser process within a 60-second window to reduce browser-originated noise.
Other platforms for T1590.005
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Shodan CLI IP Range Query
Expected signal: DNS query for shodan.io (Sysmon Event ID 22 on Windows / auditd on Linux). Outbound HTTPS connection to shodan.io:443 (Sysmon Event ID 3 / auditd network log). On Linux: auditd EXECVE record for pip and shodan commands. Proxy log entry with cs_host=shodan.io and cs_username if authenticated proxy is in use.
- Test 2ARIN WHOIS IP Block Lookup via curl
Expected signal: DNS resolution of whois.arin.net (Sysmon Event ID 22 / DNS logs). Outbound HTTPS connection to whois.arin.net:443 (Sysmon Event ID 3 / firewall log). HTTP GET request visible in proxy logs with URI path /rest/ip/<target_ip>. On Windows: DeviceNetworkEvents record with RemoteUrl containing 'arin.net'.
- Test 3nmap Ping Sweep of IP Range
Expected signal: Process creation event for nmap with command line containing '-sn' and the target IP range (Sysmon Event ID 1 / auditd EXECVE). File creation event for /tmp/df00tech-nmap-test.xml (Sysmon Event ID 11). ICMP packets visible in network capture or firewall logs (no TCP/UDP — this is ping-only). On Windows: DeviceProcessEvents with FileName='nmap.exe' and ProcessCommandLine containing '-sn'.
- Test 4theHarvester IP and Subdomain Enumeration
Expected signal: Process creation for theHarvester with arguments '-d example.com -b dnsdumpster,bing' (Sysmon Event ID 1 / auditd). Outbound DNS queries and HTTPS connections to dnsdumpster.com and bing.com (Sysmon Event IDs 3, 22). File creation events for /tmp/df00tech-harvester-test.html and /tmp/df00tech-harvester-test.xml. Proxy logs showing connections to dnsdumpster.com with user-agent containing 'theHarvester' or Python requests.
- Test 5BGP.he.net ASN IP Range Discovery
Expected signal: DNS query for bgp.he.net (Sysmon Event ID 22). Outbound HTTPS connection to bgp.he.net:443 (Sysmon Event ID 3 / firewall log). HTTP GET for /AS<number> visible in proxy logs with the target ASN in the URI path. DeviceNetworkEvents record with RemoteUrl containing 'bgp.he.net'.
References (14)
- https://attack.mitre.org/techniques/T1590/005/
- https://www.circl.lu/services/passive-dns/
- https://dnsdumpster.com/
- https://who.is/
- https://www.arin.net/resources/registry/whois/
- https://www.ripe.net/manage-ips-and-asns/
- https://www.shodan.io/
- https://censys.io/
- https://bgp.he.net/
- https://github.com/laramies/theHarvester
- https://nmap.org/docs.html
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-network
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1590.005/T1590.005.md
Unlock Pro Content
Get the full detection package for T1590.005 including response playbook, investigation guide, and atomic red team tests.