Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1590.005: IP Addresses

Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).[1][2][3] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services).

EnterpriseT1590.005Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

IP address discovery matters because public address ranges often define the first map an adversary builds of an organization before attempting scanning, infrastructure preparation, or access to exposed services. For leaders, the practical issue is not that IP addresses are secret; it is whether the organization knows what its public IP footprint reveals and can prove that exposed infrastructure is inventoried, owned, and monitored.

Executive priority

Treat this as an external attack-surface governance issue. Security leaders should ask whether public IP ranges, hosted infrastructure, and externally reachable services are current in asset inventories and whether changes are reviewed before they create unmanaged exposure. This also supports audit and incident readiness: when reconnaissance is suspected, teams need authoritative IP ownership, hosting, DNS, and service context quickly.

Technical view

This is a PRE-platform reconnaissance sub-technique under Gather Victim Network Information. ATT&CK provides no official detection text, but relationship context includes DET0815 and mitigation M1056 Pre-compromise. SOC and IR teams should validate visibility around public IP ownership, DNS/passive DNS exposure, external service enumeration, and inbound scanning against known address ranges. Because much collection can occur through public datasets such as WHOIS, DNS Dumpster, and passive DNS, internal telemetry alone will not show the full activity.

Likely telemetry

  • Authoritative external asset inventory for public IP ranges and cloud/hosting assignments
  • WHOIS/RIR allocation and registration records
  • DNS and passive DNS records tied to public infrastructure
  • External attack-surface management or approved scanning results
  • Firewall, IDS/IPS, netflow, and web access logs for inbound reconnaissance against public IPs

Detection direction

  • Start by validating the organization’s known public IP ranges against public records and passive DNS sources; gaps are often more important than alerts.
  • Tune detections for unusual or repeated inbound enumeration across public ranges while accounting for benign internet scanning, search engines, researchers, and approved vulnerability scanning.
  • Correlate IP-address-focused reconnaissance with related ATT&CK context: Active Scanning, Search Open Technical Databases, Search Open Websites/Domains, Acquire Infrastructure, Compromise Infrastructure, and External Remote Services.
  • Use DET0815 as the ATT&CK-linked detection strategy reference, but require local implementation details because no official detection logic is supplied in the object.
  • Preserve context on which public IPs host critical services so SOC triage can distinguish low-value noise from reconnaissance touching business-critical exposure.

Mitigation priorities

  • Implement M1056 Pre-compromise measures by reducing unnecessary public information and external exposure where practical.
  • Maintain an authoritative inventory of public IP ranges, hosted services, DNS mappings, and responsible owners.
  • Regularly compare internal inventories with public datasets to identify unknown, abandoned, or misattributed infrastructure.
  • Prioritize hardening and monitoring of exposed services that could support follow-on initial access, including externally reachable remote services.
  • Prepare IR playbooks that can quickly answer who owns an IP, what it hosts, whether it is monitored, and what recent inbound activity occurred.
Analyst notes and limits

Relationship context shows use by Magic Hound, HAFNIUM, and Andariel, but this should be interpreted as evidence that the behavior is relevant to known threat reporting, not as proof of current targeting. The main decision value is improving external attack-surface awareness before reconnaissance becomes exploitation.

ATT&CK does not provide official detection guidance for this object, and much of the activity may occur entirely through public sources outside defender-controlled telemetry. Local asset ownership, DNS, hosting, logging, and exposure data are required to assess coverage.

Official MITRE ATT&CK definition

IP Addresses

Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).[1][2][3] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1590 Gather Victim Network Information This object subtechnique of Gather Victim Network Information.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0138: Andariel

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.[1][2][3][4][5]

Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.[6]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Group Enterprise

G0059: Magic Hound

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]

Group Enterprise

G0125: HAFNIUM

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.[1][2][3]

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1056: Pre-compromise Enterprise uses · Group G0138: Andariel Enterprise subtechnique of · Technique T1590: Gather Victim Network Information Enterprise uses · Group G0059: Magic Hound Enterprise uses · Group G0125: HAFNIUM Enterprise detects · Detection Strategy DET0815: Detection of IP Addresses Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
320c6299cdb3f6b5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 320c6299cdb3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    WHOIS

    NTT America. (n.d.). Whois Lookup. Retrieved November 17, 2024.

    Open source URL
  2. [2]
    DNS Dumpster

    Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.

    Open source URL
  3. [3]
    Circl Passive DNS

    CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.

    Open source URL
  4. [4]
    mitre-attack T1590.005
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use