1. Home
  2. Techniques
  3. Enterprise
  4. Active Scanning
  5. Scanning IP Blocks

Active Scanning: Scanning IP Blocks

ID Name
T1595.001 Scanning IP Blocks
T1595.002 Vulnerability Scanning
T1595.003 Wordlist Scanning

Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.

Adversaries may scan IP blocks in order to Gather Victim Network Information, such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.[1] Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services).

ID: T1595.001
Sub-technique of:  T1595
Tactic: Reconnaissance
Platforms: PRE
Contributors: Diego Sappa, Securonix
Version: 1.1
Created: 02 October 2020
Last Modified: 15 October 2024
Version Permalink

Procedure Examples

ID Name Description
G1003 Ember Bear

Ember Bear has targeted IP ranges for vulnerability scanning related to government and critical infrastructure organizations.[2]
G0139 TeamTNT

TeamTNT has scanned specific lists of target IP addresses.[3]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Content

Monitoring the content of network traffic can help detect patterns associated with active scanning activities. This can include identifying repeated connection attempts, unusual scanning behaviors, or probing activity targeting multiple IP addresses across a network.
Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

References

  1. Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from a Botnet. Retrieved October 20, 2020.
  2. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  1. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.