Cyber Pulse Academy

Latest News
Proactive Defense: Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensions

Proactive Defense: Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensions

CISA Flags Critical SolarWinds Web Help Desk RCE Bug Under Active Attack

CISA Flags Critical SolarWinds Web Help Desk RCE Bug Under Active Attack

DockerDash Vulnerability: Critical AI Flaw in Docker Desktop Enables Code Execution via Image Metadata

DockerDash Vulnerability: Critical AI Flaw in Docker Desktop Enables Code Execution via Image Metadata

When the Cloud Fails: Protecting Identity Systems from Widespread Outages

When the Cloud Fails: Protecting Identity Systems from Widespread Outages

Metro4Shell Under Fire: How Attackers Exploit CVE-2025-11953 in React Native Tooling

Metro4Shell Under Fire: How Attackers Exploit CVE-2025-11953 in React Native Tooling

APT28 Weaponizes Microsoft Office CVE-2026-21509: A Deep Dive into Operation Neusploit

APT28 Weaponizes Microsoft Office CVE-2026-21509: A Deep Dive into Operation Neusploit

Firefox’s One-Click AI Kill Switch: Master Your Generative AI Privacy

Firefox’s One-Click AI Kill Switch: Master Your Generative AI Privacy

Lotus Blossom’s Notepad++ Supply Chain Attack: A Deep Dive into the Chrysalis Backdoor

Lotus Blossom’s Notepad++ Supply Chain Attack: A Deep Dive into the Chrysalis Backdoor

341 Malicious ClawHub Skills Exposed in OpenClaw Supply Chain Attack

341 Malicious ClawHub Skills Exposed in OpenClaw Supply Chain Attack

Critical OpenClaw Remote Code Execution: One-Click Exploit Puts AI Assistants at Risk

Critical OpenClaw Remote Code Execution: One-Click Exploit Puts AI Assistants at Risk

NTLM Phase-Out: Microsoft’s 3-Stage Plan to Move Windows to Kerberos

NTLM Phase-Out: Microsoft’s 3-Stage Plan to Move Windows to Kerberos

Complete Mid-Market Threat Lifecycle Protection: A Beginner’s Blueprint to Outsmart Attackers

Complete Mid-Market Threat Lifecycle Protection: A Beginner’s Blueprint to Outsmart Attackers

Notepad++ Update Hijack: Critical Supply Chain Attack Exposed

Notepad++ Update Hijack: Critical Supply Chain Attack Exposed

eScan Update Server Breach: When Trusted Antivirus Updates Turn Into Malware

eScan Update Server Breach: When Trusted Antivirus Updates Turn Into Malware

Open VSX Supply Chain Attack: How a Compromised Dev Account Spread GlassWorm Malware to 22,000+ Users

Open VSX Supply Chain Attack: How a Compromised Dev Account Spread GlassWorm Malware to 22,000+ Users

Chainlit AI Framework Vulnerabilities Expose Data to File Read and SSRF Attacks

Chainlit AI Framework Vulnerabilities Expose Data to File Read and SSRF Attacks

AI-Assisted VoidLink Linux Malware Surpasses 88,000 Lines of Code

AI-Assisted VoidLink Linux Malware Surpasses 88,000 Lines of Code

LastPass Alerts Users to Fake Maintenance Scams After Master Passwords

LastPass Alerts Users to Fake Maintenance Scams After Master Passwords

CERT/CC warns binary-parser Bug Enables Node.js Privilege Escalation

CERT/CC warns binary-parser Bug Enables Node.js Privilege Escalation

Malicious VS Code Projects Used by North Korean Hackers to Target Developers

Malicious VS Code Projects Used by North Korean Hackers to Target Developers

Critical Vulnerabilities in Anthropic’s MCP Git Server Allow File Access and Code Execution

Critical Vulnerabilities in Anthropic’s MCP Git Server Allow File Access and Code Execution

LinkedIn Messages Deliver Malware Via DLL Sideloading

LinkedIn Messages Deliver Malware Via DLL Sideloading

The Unseen Danger of Abandoned Accounts

The Unseen Danger of Abandoned Accounts

VS Code Extensions Exploited by Evelyn Stealer for Data Theft

VS Code Extensions Exploited by Evelyn Stealer for Data Theft

Cloudflare Patches ACME Bug That Permitted WAF Bypass

Cloudflare Patches ACME Bug That Permitted WAF Bypass

Why JavaScript Bundles Continue to Leak Undiscovered Secrets

Why JavaScript Bundles Continue to Leak Undiscovered Secrets

Tudou Guarantee Halts Telegram Transactions, Having Handled More Than $12 Billion.

Tudou Guarantee Halts Telegram Transactions, Having Handled More Than $12 Billion.

Security Flaw in Google Gemini Allowed Access to Private Calendars via Fake Invites

Security Flaw in Google Gemini Allowed Access to Private Calendars via Fake Invites

The Hidden Toll of Cloud Downtime

The Hidden Toll of Cloud Downtime

StackWarp Flaw Bypasses AMD SEV-SNP on Zen 1–5 CPUs

StackWarp Flaw Bypasses AMD SEV-SNP on Zen 1–5 CPUs

Malicious Chrome extension spreads ModeloRAT via fake crash lures.

Malicious Chrome extension spreads ModeloRAT via fake crash lures.

StealC Panel Flaw Let Researchers Monitor Hackers

StealC Panel Flaw Let Researchers Monitor Hackers

Ransomware Leader Hunted Internationally via EU, INTERPOL Alerts

Ransomware Leader Hunted Internationally via EU, INTERPOL Alerts

OpenAI introduces ads for free U.S. ChatGPT users

OpenAI introduces ads for free U.S. ChatGPT users

GootLoader evades detection with hundreds of nested ZIP files.

GootLoader evades detection with hundreds of nested ZIP files.

Malicious Chrome Extensions Pose as Workday, NetSuite to Hijack Accounts

Malicious Chrome Extensions Pose as Workday, NetSuite to Hijack Accounts

Your Online Traces Can Reveal Your Home Address

Your Online Traces Can Reveal Your Home Address

LOTUSLITE Backdoor Targets U.S. Policy Groups with Venezuela-Themed Phishing

LOTUSLITE Backdoor Targets U.S. Policy Groups with Venezuela-Themed Phishing

China-Linked APT Breaches Critical Infrastructure via Sitecore Zero-Day

China-Linked APT Breaches Critical Infrastructure via Sitecore Zero-Day

China-Linked APT Exploits Cisco Zero-Day, Patched in Email Gateways

China-Linked APT Exploits Cisco Zero-Day, Patched in Email Gateways

AWS CodeBuild Misconfiguration Could Have Led to GitHub Supply Chain Attacks

AWS CodeBuild Misconfiguration Could Have Led to GitHub Supply Chain Attacks

Critical WordPress Modularity Plugin Under Active Attack for Full Site Takeover

Critical WordPress Modularity Plugin Under Active Attack for Full Site Takeover

Reprompt Attack Enables Single-Click Data Theft from Microsoft Copilot

Reprompt Attack Enables Single-Click Data Theft from Microsoft Copilot

Workflow Security, Not Model Security, Is the Critical Risk

Workflow Security, Not Model Security, Is the Critical Risk

Four Obsolete SOC Practices Increasing MTTR in 2026

Four Obsolete SOC Practices Increasing MTTR in 2026

Microsoft Takedown Dismantles RedVDS Criminal Network for Online Fraud

Microsoft Takedown Dismantles RedVDS Criminal Network for Online Fraud

Palo Alto Patches Critical DoS Flaw in GlobalProtect That Crashes Firewalls Pre-Authentication

Palo Alto Patches Critical DoS Flaw in GlobalProtect That Crashes Firewalls Pre-Authentication

Researchers Sinkhole Over 550 Kimwolf and Aisuru Botnet C2 Servers

Researchers Sinkhole Over 550 Kimwolf and Aisuru Botnet C2 Servers

AI Agents Emerge as New Authorization Bypass Threat

AI Agents Emerge as New Authorization Bypass Threat

Attackers Abuse c-ares DLL Side-Loading Vulnerability to Evade Defenses and Deploy Malware

Attackers Abuse c-ares DLL Side-Loading Vulnerability to Evade Defenses and Deploy Malware

Log In
Sign-Up

    End of Content.

    IP Addresses (T1590.005)

    Ultimate Guide to Gather Victim Network Information - IP Addresses: Attack & Defense

    Gather Victim IP Addresses involves collecting the public IP addresses associated with a target organization to map their external network presence, identify potential entry points, and plan subsequent attacks.

    ATT&CK ID T1590.005

    Tactics Reconnaissance

    Platforms PRE

    Difficulty 🟢 Easy

    Prevalence High

    Table of Contents

    Understanding Gather Victim IP Addresses in Simple Terms

    Imagine you're planning a heist on a secure corporate building. Before you even think about picking a lock, you'd spend days observing. You'd note the guard patrol schedules, the delivery truck routes, which doors are used by employees, and where the security cameras are blind spots. This is passive, legal observation from a distance.


    Gather Victim IP Addresses is the digital equivalent of this initial surveillance. Before any malware is sent or any exploit is attempted, an attacker needs to map out your organization's digital "building." They need to find all the public-facing doors and windows, your web servers, email servers, VPN gateways, and any other internet-connected assets, each identified by its unique IP address. This step is foundational, cheap, and often goes completely unnoticed by the target.


    White Label df9f1fcd ip addresses t1590.005 1

    Decoding the Jargon: Key Terms for Gather Victim IP Addresses

    Term Simple Definition Why It Matters Here
    IP Address (Internet Protocol Address) A unique numerical label assigned to every device connected to a network (like the internet). It's the digital equivalent of a street address. This is the primary data point the adversary is collecting. It's the identifier for your organization's online assets.
    Passive Reconnaissance Gathering information without directly interacting with the target's systems. Think: reading public records, not knocking on the door. Gather Victim IP Addresses is almost exclusively passive. It uses publicly available data, making it hard to detect and completely legal.
    Autonomous System Number (ASN) A unique number assigned to a large network or ISP (like a "neighborhood" on the internet). Blocks of IP addresses belong to specific ASNs. Attackers can query an organization's ASN to find ALL IP ranges registered to them, massively speeding up the discovery process.
    BGP (Border Gateway Protocol) The "postal system" of the internet that determines how data packets are routed between large networks. Public BGP routing tables are a goldmine for discovering which IP ranges are announced (owned) by a specific organization.
    Attack Surface The total sum of all possible points (like IPs, domains, apps) where an unauthorized user can try to enter your digital environment. Each discovered public IP address represents a potential entry point, thus expanding the known attack surface.

    The Attacker's Playbook: Executing Gather Victim IP Addresses

    Step-by-Step Breakdown

    A systematic attacker doesn't just guess IPs. They follow a logical, layered process to build a comprehensive map.

    1. Start with the Obvious: Use the organization's known website domain. Simple DNS lookups (like `nslookup` or `dig`) reveal the primary web server IPs.
    2. Find the Network "Neighborhood" (ASN): Use tools like whois or online databases to find the ASN(s) registered to the target company or their ISP.
    3. Enumerate the IP Range: Query public BGP databases (e.g., BGPView, Hurricane Electric BGP Toolkit) to list ALL IP address blocks associated with the discovered ASN. This often reveals forgotten or shadow IT infrastructure.
    4. Expand via Passive DNS: Services like SecurityTrails or VirusTotal Passive DNS show historical and current DNS records, linking more domains and subdomains to the discovered IPs, which may lead to discovering more IPs.
    5. Scan & Fingerprint: With a target list of IPs, perform light, non-intrusive scans (e.g., TCP SYN to port 443) to verify which IPs are live and what service might be running, without triggering aggressive alarms.

    Red Team Analogy & Mindset

    Think like a real estate developer scouting a city block. You don't just look at the building you're interested in. You pull all the public property records (ASN/BGP), you note every structure on the block (IP range), you see which ones have lights on at night (live hosts), and you observe traffic patterns to and from each building (passive DNS). Your goal isn't to break in yet, it's to create the most accurate map possible so you can plan the most effective entry point later. Every piece of data is a potential vulnerability: an old, unmaintained building (legacy server) is a more attractive target than a new, secure skyscraper (modern, patched web server).

    Tools & Command-Line Examples

    • AMass / Subfinder: Passive enumeration tools that aggregate data from dozens of public sources to find subdomains and their associated IPs.
    • Shodan / Censys: Search engines for internet-connected devices. An attacker can search by organization name, ASN, or netblock to find devices, open ports, and service banners.
    • BGP Tools (bgp.he.net): Web-based interfaces to query which IP prefixes are announced by an ASN.

    Command-Line Snippet (Example - Passive Discovery):

    # Step 1: Get ASN for target company (using whois)
whois -h whois.radb.net ' -i origin ACME-CORP' | grep -E "route:|route6:"

# Step 2: Use the ASN (e.g., AS12345) to get all IP ranges via a BGP tool (curl example)
curl -s "https://api.bgpview.io/asn/12345/prefixes" | jq '.data.ipv4_prefixes[].prefix'

# Step 3: Passive subdomain enumeration linked to IPs (using amass)
amass enum -passive -d acme-corp.com -o subdomains.txt

    Real-World Campaign Example

    The APT29 (Cozy Bear, associated with Russian intelligence) is a master of extensive reconnaissance. In campaigns targeting government and think-tank networks, their initial activity heavily involves gathering victim IP addresses and network information. They use this data to identify targets for later spear-phishing campaigns and to tailor their malware infrastructure to blend in with the victim's environment.

    Source: For detailed analysis, see the joint advisory from CISA and partners: "Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations" which details APT29's reconnaissance tradecraft.

    The Defender's Handbook: Stopping Gather Victim IP Addresses

    Blue Team Analogy & Detection Philosophy

    You can't stop someone from looking at your public property records. The defense isn't about preventing the reconnaissance; it's about managing your attack surface. Think like a security-conscious property manager. Your job is to ensure that every public-facing door (IP address) is documented, necessary, and as secure as possible. You regularly audit your property portfolio (IP inventory) to find and decommission forgotten sheds in the back (unused public IPs). You assume the adversary has your map, so you focus on fortifying the doors they'll find.

    SOC Reality Check: What to Look For

    Direct detection of passive IP gathering is nearly impossible, no logs are generated on your end. The blue team's focus shifts to the next steps and managing exposure.

    • Noise vs. Signal: You won't get an alert titled "Attacker Looked Up Your IP." The signal comes later: an increase in scanning activity from new sources against your IP ranges, or targeted phishing using the discovered infrastructure details.
    • Actionable Intelligence: Correlate external threat intelligence feeds that might report your organization's IPs being queried in malware C2 infrastructure or discussed on underground forums.

    Threat Hunter's Eye: Practical Query

    While you can't see the IP lookup, you can hunt for the initial active probing that almost always follows. Here is a Sigma rule to detect scanning activity that maps to the Gather Victim IP Addresses and subsequent discovery phase.

    # Sigma Rule: Reconnaissance - Mass Port Scan from Single Source
# Maps to ATT&CK: T1590.005 (Gather Victim IP Addresses) -> T1595 (Active Scanning)
# This rule looks for a single source IP hitting many different destination IPs on a common port (like 443) in a short time.
title: Mass Port Scan from Single Source
id: 7a8b9c0d-1e2f-4a3b-5c6d-7e8f9a0b1c2d
status: experimental
description: Detects a potential reconnaissance scan where one source connects to many distinct internal IPs on a specific port.
references:
    - https://attack.mitre.org/techniques/T1590/005/
author: Blue Team Field Manual
date: 2024-05-17
logsource:
    category: firewall
    product: paloalto
detection:
    selection:
        action: allow
        dst_port: 443
    timeframe: 5m
    condition: selection | count(dst_ip) by src_ip > 50
falsepositives:
    - Legitimate security scanners
    - CDN or cloud service traffic
level: low

    Key Data Sources for Detection

    • Firewall/Network Perimeter Logs: To detect the active scanning that follows IP gathering.
    • DNS Query Logs: While passive DNS lookups can't be seen, monitoring for unusual internal DNS queries to your own domains might indicate an insider or compromised asset performing reconnaissance.
    • External Threat Intelligence Feeds: Services that alert you if your company's IPs or ASN appear in suspicious contexts.
    • Asset & Inventory Management Systems: Your authoritative source of truth for what public IPs you should have.

    Building Resilience: Mitigation Strategies for Gather Victim IP Addresses

    Actionable Mitigation Controls

    Convert MITRE's general guidance into concrete actions your team can take.

    • M1053: Data Minimization
      • Action: Conduct quarterly attack surface discovery audits. Use tools like Shodan or Censys on your own organization. Compare the results with your CMDB. Decommission any public-facing asset (IP, server, service) that is unauthorized or no longer needed.
    • M1056: Pre-compromise
      • Action: Implement a rigorous change control process for public IP space. No new public IPs can be provisioned (in cloud or on-prem) without a ticket that auto-updates the central asset inventory.
    • M1056: Vulnerability Scanning (Proactive Defense)
      • Action: Run credentialed, non-intrusive vulnerability scans against your known public IP range weekly. Patch critical findings within SLA. This assumes the attacker has your map and is looking for the same vulnerabilities.

    Red vs. Blue: A Quick Comparison

    Attacker Goal (Red Team) Defender Action (Blue Team)
    Find all public IPs belonging to the target. Maintain a complete and accurate inventory of authorized public IPs.
    Identify forgotten, unpatched servers in the IP range. Perform regular attack surface audits to find and secure or decommission unknown assets.
    Use IP info to tailor phishing lures or identify VPN endpoints. Implement strong MFA on all external access points and conduct user awareness training.
    Map the network to plan the next attack phase (Initial Access). Assume the map is known; focus on hardening and monitoring all public-facing assets.

    Gather Victim IP Addresses Cheat Sheet

    🔴

    Red Flag

    Your organization's IP ranges appearing in uncategorized or malicious threat intelligence reports. Sudden spikes in scanning traffic from diverse sources against your IP space, especially on common service ports (22, 443, 3389).

    🛡️

    Blue's Best Move

    Conduct a monthly "Google yourself" exercise. Use Shodan, Censys, and whois on your own company name and ASN. Any asset you find that isn't in your CMDB is a risk and must be addressed immediately. Encrypt and update relentlessly.

    🔍

    Hunt Here

    Firewall logs for sources connecting to a high number (>50) of your internal IPs on the same port within a short timeframe (5-10 minutes). This is the active verification scan that follows passive IP gathering.

    📚

    Learn More

    Official MITRE Page: T1590.005 - Gather Victim IP Addresses
    External Deep Dive: SANS Blog: Attack Surface Mapping Before the Attack

    Conclusion and Next Steps

    Gather Victim IP Addresses (T1590.005) is the quiet, foundational step of a modern cyber attack. You cannot stop it, but you can render it far less useful to the adversary. The defender's power lies in rigorous attack surface management, comprehensive asset inventory, and the assumption that your public IP map is already in the hands of threat actors.


    Your Action Plan:

    1. Audit: This week, spend 30 minutes using a public tool like Shodan.io to search for your organization. Document any surprises.
    2. Inventory: Ensure your CMDB or asset management system is the single source of truth for public IPs.
    3. Hunt: Implement the Sigma rule or a similar query in your SIEM to baseline and then monitor for mass scanning patterns.

    IP Addresses

    DONATE · SUPPORT

    We keep threat intelligence free. No paywalls, no ads. Your donation directly funds server infrastructure, research, and tools. Every contribution - no matter the size - makes this platform sustainable.
    100% of your support goes to the platform. No corporate sponsors, just the community.
    ROOT::DONATE
    • Cyber Pulse Academy
    • February 13, 2026
    • No Comments

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    Ask ChatGPT
    Set ChatGPT API key
    Find your Secret API key in your ChatGPT User settings and paste it here to connect ChatGPT with your Courses LMS website.

    Accelerate Cyber Pulse Academy

    Join us in revolutionizing cybersecurity education.
    Your contribution directly funds:
    Certification Courses
    Hands-On Labs
    Threat Intelligence
    Latest Cyber News
    MITRE ATT&CK Breakdown
    All Cyber Keywords

    Every contribution moves us closer to our goal: making world-class cybersecurity education accessible to ALL.

    Choose the amount of donation by yourself.

    Every contribution helps us deliver better cybersecurity education, faster