Full Report
GreyNoise Labs has launched a free tool called GreyNoise IP Check that lets users check if their IP address has been observed in malicious scanning operations, like botnet and residential proxy networks. [...]
Analysis Summary
# Tool/Technique: GreyNoise IP Check
## Overview
GreyNoise IP Check is a free tool launched by GreyNoise Labs designed to allow users to determine if their public IP address has been observed participating in malicious scanning operations, such as those originating from botnets or residential proxy networks. Its purpose is to provide a non-intrusive way for organizations and individuals to check if their network is unknowingly being used for malicious activities.
## Technical Details
- Type: Tool
- Platform: Internet-facing IP addresses (checked via a web interface or API)
- Capabilities: Checks IP reputation against GreyNoise's observations of malicious scanning activity; provides a 90-day historical timeline of observed activity.
- First Seen: November 27, 2025 (Based on article date)
## MITRE ATT&CK Mapping
This tool is focused on **detection and defensive visibility** regarding precursor scanning activity. The underlying activity it detects maps primarily to reconnaissance and infrastructure usage:
- **TA0043 - C2 Infrastructure (Related to botnets/proxies)**
- T1595 - Active Scanning
- T1595.002 - Internet Wide Scanning
- **TA0011 - Command and Control (Related to botnet participation)**
- T1071 - Application Layer Protocol (If the scanning uses HTTP/S)
## Functionality
### Core Capabilities
- **IP Reputation Check:** Assesses an IP address against GreyNoise's collected data, resulting in one of three statuses: 'Clean', 'Malicious/Suspicious', or 'Common Business Service'.
- **Historical Context:** Provides a 90-day timeline of observed malicious scanning activity associated with the IP, aiding in correlation with potential infection events.
### Advanced Features
- **JSON API Access:** Offers an unauthenticated, rate-limit-free JSON API for technical users to integrate scanning checks into automated scripts or internal monitoring systems.
- **Correlation Guidance:** Helps users correlate suspicious scanning activity with preceding events (e.g., installation of specific software) to pinpoint infection sources.
## Indicators of Compromise
*Note: As this is a defensive analysis tool, the "Indicators" below describe the *results* the tool detects, not IoCs generated by the tool itself which is passive.*
- File Hashes: N/A (Tool checks IP reputation, not file artifacts)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: The results indicate that the IP *matches* patterns associated with traffic from compromised devices or scanning infrastructure.
- Behavioral Indicators: Detected scanning behavior associated with botnets or residential proxy operations.
## Associated Threat Actors
Threat actors or groups leveraging infrastructure that uses compromised end-user devices as **exit points** for malicious traffic (e.g., Botnet operators, operators of residential proxy services).
## Detection Methods
- **GreyNoise IP Check:** Direct checking via the web portal or API.
- **Behavioral Detection (Post-detection):** Users whose IP is flagged as 'Malicious/Suspicious' are advised to run malware scans on local devices.
## Mitigation Strategies
Based on a 'Malicious/Suspicious' finding:
1. **Investigate Local Devices:** Run malware scans on all devices on the network, prioritizing routers and smart devices (e.g., IoT).
2. **Update Firmware:** Ensure all devices are running the latest available firmware.
3. **Credential Management:** Change administrative credentials for network devices.
4. **Disable Unnecessary Remote Access:** Turn off remote access features if they are not actively required.
## Related Tools/Techniques
- Traditional malware analysis tools used to find the infection source (e.g., endpoint detection tools mentioned in the text).
- Services that provide firewall or network monitoring for persistent scanning/C2 traffic.