title: IP Addresses (T1590.005)
id: df00tech-t1590-005
status: experimental
description: "Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted. Adversaries gather this information via direct collection actions (active scanning, phishing for information) or through online data sets such as WHOIS, ARIN, RIPE, passive DNS repositories, and IP intelligence platforms like Shodan or Censys."
references:
  - https://attack.mitre.org/techniques/T1590/005/
  - https://df00tech.com/detections/T1590.005
author: df00tech
date: 2026/04/14
tags:
  - attack.t1590.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Security analysts and threat intelligence teams routinely query Shodan, Censys, ARIN, and RIPE to assess the organization's external attack surface — this is expected and should be allowlisted by user/device"
  - Network engineers using nmap or masscan for authorized internal network discovery and asset inventory
  - Penetration testers performing authorized external assessments will use all of these tools and services legitimately
  - IT and DevOps staff querying ipinfo.io or similar APIs in automation scripts to geolocate user traffic or validate IP addresses
level: low