T1590.005 Splunk · SPL

Detect IP Addresses in Splunk

Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted. Adversaries gather this information via direct collection actions (active scanning, phishing for information) or through online data sets such as WHOIS, ARIN, RIPE, passive DNS repositories, and IP intelligence platforms like Shodan or Censys.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1590 Gather Victim Network Information
Sub-technique
T1590.005 IP Addresses
Canonical reference
https://attack.mitre.org/techniques/T1590/005/

SPL Detection Query

Splunk (SPL)
spl 
| multisearch
  [ search index=proxy sourcetype=bluecoat OR sourcetype=squid OR sourcetype="cisco:esa" OR sourcetype="pan:traffic"
    (cs_host="shodan.io" OR cs_host="censys.io" OR cs_host="ipinfo.io" OR cs_host="ipapi.co"
     OR cs_host="ip-api.com" OR cs_host="bgp.he.net" OR cs_host="arin.net" OR cs_host="ripe.net"
     OR cs_host="apnic.net" OR cs_host="lacnic.net" OR cs_host="afrinic.net" OR cs_host="spyse.com"
     OR cs_host="fofa.info" OR cs_host="zoomeye.org" OR cs_host="dnsdumpster.com"
     OR cs_host="hackertarget.com" OR cs_host="viewdns.info" OR cs_host="ipvoid.com"
     OR cs_host="binaryedge.io" OR cs_host="greynoise.io" OR cs_host="onyphe.io")
    | eval DetectionBranch="ProxyIPIntelLookup"
    | eval ToolOrDomain=cs_host
    | eval UserOrAccount=cs_username ]
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\nmap.exe" OR Image="*\\masscan.exe" OR Image="*\\zmap.exe"
     OR Image="*\\theharvester.exe" OR Image="*\\amass.exe" OR Image="*\\subfinder.exe"
     OR CommandLine="*shodan search*" OR CommandLine="*censys search*"
     OR CommandLine="*nmap -sn*" OR CommandLine="*nmap -p*" OR CommandLine="*masscan --rate*"
     OR CommandLine="*spiderfoot*" OR CommandLine="*recon-ng*")
    | eval DetectionBranch="OSINTToolEndpoint"
    | eval ToolOrDomain=Image
    | eval UserOrAccount=User ]
| eval src_ip=coalesce(c_ip, src_ip)
| eval dest_host=coalesce(cs_host, ToolOrDomain)
| table _time, host, UserOrAccount, src_ip, dest_host, CommandLine, DetectionBranch
| sort - _time
low severity low confidence

Detects IP address reconnaissance activity across two log sources using Splunk multisearch. The first branch searches web proxy logs (Bluecoat, Squid, Cisco ESA, Palo Alto) for outbound HTTP/HTTPS connections from corporate users to known IP intelligence platforms including Shodan, Censys, ARIN, RIPE, and passive DNS/IP lookup APIs. The second branch searches Sysmon Event ID 1 (Process Create) logs for execution of OSINT tools known to gather IP address and network infrastructure data. Both branches enrich results with a DetectionBranch field for analyst triage. The query coalesces field names across sourcetypes for consistent output. Since this is a PRE-attack technique occurring primarily outside the victim environment, confidence is set to low.

Data Sources

Network Traffic: Network Connection CreationProcess: Process CreationWeb Proxy LogsSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operationalbluecoatsquid

False Positives & Tuning

  • Security operations and threat intelligence analysts querying Shodan, Censys, ARIN, and RIPE as part of daily attack surface monitoring duties
  • Network engineers running nmap or masscan scans during authorized change windows for asset discovery
  • Red team and penetration testers conducting authorized engagements — coordinate with testing calendar to suppress alerts during assessment windows
  • Developers and DevOps engineers embedding IP geolocation API calls (ipinfo.io, ip-api.com) in application code or deployment scripts
Download portable Sigma rule (.yml)

Other platforms for T1590.005

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Shodan CLI IP Range Query

    Expected signal: DNS query for shodan.io (Sysmon Event ID 22 on Windows / auditd on Linux). Outbound HTTPS connection to shodan.io:443 (Sysmon Event ID 3 / auditd network log). On Linux: auditd EXECVE record for pip and shodan commands. Proxy log entry with cs_host=shodan.io and cs_username if authenticated proxy is in use.

  2. Test 2ARIN WHOIS IP Block Lookup via curl

    Expected signal: DNS resolution of whois.arin.net (Sysmon Event ID 22 / DNS logs). Outbound HTTPS connection to whois.arin.net:443 (Sysmon Event ID 3 / firewall log). HTTP GET request visible in proxy logs with URI path /rest/ip/<target_ip>. On Windows: DeviceNetworkEvents record with RemoteUrl containing 'arin.net'.

  3. Test 3nmap Ping Sweep of IP Range

    Expected signal: Process creation event for nmap with command line containing '-sn' and the target IP range (Sysmon Event ID 1 / auditd EXECVE). File creation event for /tmp/df00tech-nmap-test.xml (Sysmon Event ID 11). ICMP packets visible in network capture or firewall logs (no TCP/UDP — this is ping-only). On Windows: DeviceProcessEvents with FileName='nmap.exe' and ProcessCommandLine containing '-sn'.

  4. Test 4theHarvester IP and Subdomain Enumeration

    Expected signal: Process creation for theHarvester with arguments '-d example.com -b dnsdumpster,bing' (Sysmon Event ID 1 / auditd). Outbound DNS queries and HTTPS connections to dnsdumpster.com and bing.com (Sysmon Event IDs 3, 22). File creation events for /tmp/df00tech-harvester-test.html and /tmp/df00tech-harvester-test.xml. Proxy logs showing connections to dnsdumpster.com with user-agent containing 'theHarvester' or Python requests.

  5. Test 5BGP.he.net ASN IP Range Discovery

    Expected signal: DNS query for bgp.he.net (Sysmon Event ID 22). Outbound HTTPS connection to bgp.he.net:443 (Sysmon Event ID 3 / firewall log). HTTP GET for /AS<number> visible in proxy logs with the target ASN in the URI path. DeviceNetworkEvents record with RemoteUrl containing 'bgp.he.net'.

Last updated: 2026-04-14 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1590.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.001Domain PropertiesT1590.002DNST1590.003Network Trust DependenciesT1590.004Network TopologyT1590.006Network Security Appliances

Related Techniques

T1590Gather Victim Network InformationT1590.002DNST1595Active ScanningT1595.001Scanning IP BlocksT1596.002WHOIST1596.001DNS/Passive DNST1593Search Open Websites/DomainsT1596.003Digital CertificatesT1133External Remote ServicesT1583Acquire Infrastructure

Same Tactic: Reconnaissance

Popular Detections