DET0815: Detection of IP Addresses
DET0815 is a MITRE ATT&CK detection strategy for activity related to adversaries gathering a victim organization’s IP addresses. Even though the strategy h...
Analyst context for executives and security teams
DET0815 is a MITRE ATT&CK detection strategy for activity related to adversaries gathering a victim organization’s IP addresses. Even though the strategy has no official detection text or platform guidance supplied, the linked technique matters because public IP address information can help an adversary understand an organization’s external footprint before targeting.
Executive priority
Treat this as an external exposure and reconnaissance visibility question, not as proof of compromise. Leaders should ask whether the organization knows its assigned and publicly reachable IP space, can evidence ownership and usage of that space, and has a process to spot unusual interest in internet-facing assets. This supports resilience, vulnerability prioritization, incident scoping, and audit discussions around attack surface management.
Technical view
The only supplied relationship is that DET0815 detects T1590.005: IP Addresses, under reconnaissance on PRE platforms. SOC and detection teams should validate whether they can observe and contextualize activity involving public IP enumeration or lookup of organizational address ranges using available external-facing telemetry and asset inventory. Because MITRE provides no official detection logic for this detection strategy, local detection design should be based on known owned IP ranges, expected scanning/research activity, and correlation with related reconnaissance indicators rather than a single alert condition.
Likely telemetry
- Authoritative inventory of organization-owned or assigned public IP ranges
- External attack surface management or internet-facing asset inventory data
- Perimeter and cloud edge logs where available for public-facing services
- DNS, certificate, and registration context used to map public infrastructure
- Threat intelligence or external monitoring observations referencing organizational IP ranges
Detection direction
- Validate that owned public IP ranges are complete, current, and mapped to business owners before building alerts.
- Baseline expected external scanning, security research, and vendor assessment activity to reduce false positives.
- Look for unusual or repeated interest in organizational IP ranges when correlated with other reconnaissance signals, rather than treating any lookup as malicious.
- Confirm visibility gaps for cloud-hosted, third-party-managed, newly allocated, or abandoned public IP addresses.
- Because ATT&CK supplies no official detection text, document local assumptions, data sources, and alert thresholds as part of detection engineering evidence.
Mitigation priorities
- Maintain an authoritative inventory of public IP allocations and associated systems, owners, and exposure status.
- Prioritize remediation of unnecessary or vulnerable services on internet-facing addresses.
- Align external attack surface management with vulnerability management and incident response scoping processes.
- Review cloud and third-party processes that may create public IP exposure outside normal change control.
- Use detection outputs as early warning and triage context, not as standalone confirmation of adversary activity.
Analyst notes and limits
This object is a detection strategy, not a technique. Its practical value comes from its relationship to T1590.005, where adversaries may gather victim IP addresses during reconnaissance. The ATT&CK fields provided do not include official detection guidance, platforms, tactics for the detection strategy itself, or implementation detail, so local environment evidence is essential.
No official description or detection text was supplied for DET0815. Platforms and tactics are not specified for the detection strategy. The only relationship provided is to T1590.005, so this take is limited to defensive interpretation of IP-address-focused reconnaissance and should not be read as evidence of active exploitation or guaranteed detection coverage.
Detection of IP Addresses
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1590.005 | IP Addresses Sub-technique | This object detects IP Addresses. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0f72de25a641… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0815Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.