T1595.001 Scanning IP Blocks Mappings

Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.

Adversaries may scan IP blocks in order to Gather Victim Network Information, such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services).

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Scan network Scan or footprint network related-to T1595.001 Active Scanning: Scanning IP Blocks
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1595.001 Active Scanning: Scanning IP Blocks
amazon_guardduty Amazon GuardDuty technique_scores T1595.001 Scanning IP Blocks
Comments
There are a few finding types offered by GuardDuty that flag this behavior: Recon:EC2/PortProbeEMRUnprotectedPort, Recon:EC2/PortProbeUnprotectedPort, Recon:EC2/Portscan, Impact:EC2/PortSweep.
References
    amazon_inspector Amazon Inspector technique_scores T1595.001 Scanning IP Blocks
    Comments
    The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial.
    References
      amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1595.001 Scanning IP Blocks
      Comments
      VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability Scanning. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
      References
        aws_web_application_firewall AWS Web Application Firewall technique_scores T1595.001 Scanning IP Blocks
        Comments
        AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection. AWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet This is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots.
        References
          aws_network_firewall AWS Network Firewall technique_scores T1595.001 Scanning IP Blocks
          Comments
          AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. This mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall.
          References