title: Scanning IP Blocks (T1595.001)
id: df00tech-t1595-001
status: experimental
description: "Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Adversaries may scan IP blocks to gather victim network information, such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts. Information from these scans may reveal opportunities for other forms of reconnaissance, establishing operational resources, or gaining initial access."
references:
  - https://attack.mitre.org/techniques/T1595/001/
  - https://df00tech.com/detections/T1595.001
author: df00tech
date: 2026/03/13
tags:
  - attack.t1595.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Authorized vulnerability scanners (Qualys, Tenable Nessus, Rapid7 InsightVM) running scheduled scans from dedicated scanner IPs — allowlist scanner IP ranges"
  - "Internet-wide scanning services (Shodan, Censys, Binaryedge, Shadowserver) continuously scan public IPs and will trigger high-volume alerts — maintain an allowlist of known scanner AS numbers"
  - "Internal IT asset discovery tools (SCCM network discovery, ManageEngine, Spiceworks) scanning internal subnets — scope detection to exclude known management VLAN source IPs"
  - "Load balancer health checks and monitoring systems (Pingdom, Datadog Synthetics, AWS ELB probes) that repeatedly probe multiple ports on registered hosts"
  - Red team engagements and authorized penetration tests — coordinate with security team to suppress alerts during test windows
level: medium