1. Home
  2. ATT&CK Techniques
  3. T1595
  4. T1595.001
Reconnaissance

T1595.001: Scanning IP Blocks

Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Adve...

T1595.001 · Sub-technique ·1 platforms ·2 groups

Description

Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.

Adversaries may scan IP blocks in order to Gather Victim Network Information, such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services).

Subdomain Enumeration Tools

Read our in-depth pentesting guide related to this technique

Platforms

PRE

Mitigations (1)

Pre-compromiseM1056

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Threat Groups (2)

IDGroupContext
G1003Ember Bear[Ember Bear](https://attack.mitre.org/groups/G1003) has targeted IP ranges for vulnerability scanning related to government and critical infrastructur...
G0139TeamTNT[TeamTNT](https://attack.mitre.org/groups/G0139) has scanned specific lists of target IP addresses.(Citation: Trend Micro TeamTNT)

References

Frequently Asked Questions

What is T1595.001 (Scanning IP Blocks)?

T1595.001 is a MITRE ATT&CK technique named 'Scanning IP Blocks'. It belongs to the Reconnaissance tactic(s). Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Adve...

How can T1595.001 be detected?

Detection of T1595.001 (Scanning IP Blocks) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1595.001?

There are 1 documented mitigations for T1595.001. Key mitigations include: Pre-compromise.

Which threat groups use T1595.001?

Known threat groups using T1595.001 include: Ember Bear, TeamTNT.