Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
Adversaries may scan IP blocks in order to Gather Victim Network Information, such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| action.malware.variety.Scan network | Scan or footprint network | related-to | T1595.001 | Active Scanning: Scanning IP Blocks |
| value_chain.targeting.variety.Organizational Information | Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target | related-to | T1595.001 | Active Scanning: Scanning IP Blocks |
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1595.001 | Scanning IP Blocks |
| amazon_inspector | Amazon Inspector | technique_scores | T1595.001 | Scanning IP Blocks |
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1595.001 | Scanning IP Blocks |
| aws_web_application_firewall | AWS Web Application Firewall | technique_scores | T1595.001 | Scanning IP Blocks |
| aws_network_firewall | AWS Network Firewall | technique_scores | T1595.001 | Scanning IP Blocks |