T1595.003 Wordlist Scanning Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ScannerUserAgents = dynamic([
    "gobuster", "DirBuster", "dirbuster", "feroxbuster", "ffuf",
    "wfuzz", "nikto", "dirsearch", "nuclei", "wapiti", "skipfish",
    "s3recon", "GCPBucketBrute", "dirfuzz", "dirb/", "sqlmap",
    "w3af", "whatweb", "commix", "nmap scripting"
]);
// Branch 1: Known scanning tool User-Agent strings in IIS web server logs
let UADetection = W3CIISLog
| where TimeGenerated > ago(24h)
| where csUserAgent has_any (ScannerUserAgents)
| summarize
    RequestCount = count(),
    UniqueUris = dcount(csUriStem),
    Errors404 = countif(scStatus == 404),
    Errors403 = countif(scStatus == 403),
    SamplePaths = make_set(csUriStem, 15),
    FirstRequest = min(TimeGenerated),
    LastRequest = max(TimeGenerated)
  by cIP, csHost, csUserAgent, sSiteName
| extend ScanDurationMinutes = datetime_diff('minute', LastRequest, FirstRequest)
| extend DetectionType = "KnownScannerUserAgent", SuspicionScore = 3
| project FirstRequest, LastRequest, cIP, csHost, csUserAgent, RequestCount, UniqueUris,
          Errors404, Errors403, SamplePaths, ScanDurationMinutes, DetectionType, SuspicionScore;
// Branch 2: High-volume 404/403 responses from single source IP (wordlist enumeration pattern)
let VolumeDetection = W3CIISLog
| where TimeGenerated > ago(24h)
| where scStatus in (404, 403)
| summarize
    RequestCount = count(),
    UniqueUris = dcount(csUriStem),
    Errors404 = countif(scStatus == 404),
    Errors403 = countif(scStatus == 403),
    SamplePaths = make_set(csUriStem, 15),
    FirstRequest = min(TimeGenerated),
    LastRequest = max(TimeGenerated)
  by cIP, csHost, sSiteName, HourBin = bin(TimeGenerated, 1h)
| where RequestCount > 200 and UniqueUris > 100
| extend ScanDurationMinutes = 60, csUserAgent = "Unknown/Multiple"
| extend DetectionType = "HighVolume404Pattern", SuspicionScore = 2
| project FirstRequest, LastRequest, cIP, csHost, csUserAgent, RequestCount, UniqueUris,
          Errors404, Errors403, SamplePaths, ScanDurationMinutes, DetectionType, SuspicionScore;
union UADetection, VolumeDetection
| sort by FirstRequest desc

medium severity medium confidence

Data Sources

Application Log: Application Log Content Network Traffic: Network Traffic Content Microsoft IIS Web Server Logs (W3CIISLog)

Required Tables

W3CIISLog

False Positives

Internal vulnerability scanners (Nessus, Qualys, Tenable, Rapid7) running authorized scans from known IPs with recognizable User-Agent strings
Authorized penetration testing engagements by third-party firms using gobuster, ffuf, DirBuster, or similar tools
Legitimate SEO crawlers, web archival bots (archive.org), or monitoring services that probe large numbers of URLs and generate 404s
CI/CD pipeline integration tests or automated health checks that probe non-existent endpoints at high frequency
CDN or load balancer health probes that request synthetic paths and accumulate 404 errors at the origin

Splunk

spl

index=web sourcetype=access_combined
| eval scanner_ua=if(match(lower(useragent), "gobuster|dirbuster|feroxbuster|ffuf|wfuzz|nikto|dirsearch|nuclei|wapiti|skipfish|sqlmap|s3recon|gcpbucketbrute|dirb/|w3af|commix"), 1, 0)
| eval is_error=if(status=="404" OR status=="403", 1, 0)
| stats
    count as total_requests,
    sum(scanner_ua) as scanner_ua_requests,
    sum(is_error) as error_requests,
    dc(uri) as unique_uris,
    first(useragent) as primary_ua,
    min(_time) as first_seen,
    max(_time) as last_seen
  by clientip, host
| eval scan_duration_minutes=round((last_seen - first_seen) / 60, 1)
| eval detection_type=case(
    scanner_ua_requests > 0 AND error_requests > 50, "KnownScanner_HighErrorVolume",
    scanner_ua_requests > 0, "KnownScannerUserAgent",
    error_requests > 200 AND unique_uris > 100, "HighVolume404Pattern",
    1=1, null()
)
| where isnotnull(detection_type)
| eval suspicion_score=case(
    scanner_ua_requests > 0 AND error_requests > 100, 4,
    scanner_ua_requests > 0, 3,
    error_requests > 500 AND unique_uris > 250, 3,
    error_requests > 200 AND unique_uris > 100, 2,
    1=1, 1
)
| table first_seen, last_seen, clientip, host, primary_ua, total_requests, unique_uris, error_requests, scan_duration_minutes, detection_type, suspicion_score
| sort - suspicion_score - first_seen

medium severity medium confidence

Data Sources

Application Log: Application Log Content Network Traffic: Network Traffic Content Web Server Access Logs

Required Sourcetypes

access_combined

False Positives

Internal vulnerability scanners running authorized scheduled scans with scanner User-Agents from known internal IP ranges
Authorized penetration testing using ffuf, gobuster, or DirBuster during engagement windows
Legitimate high-volume web crawlers (Googlebot, Bingbot, archive.org) that request large numbers of paths
Load testing tools (JMeter, Locust, k6) exercising application endpoints with synthetic URL patterns at high rates
CDN or reverse proxy health checks that probe non-existent backend paths on a regular schedule

Elastic Security (EQL)

eql

// T1595.003 — Wordlist Scanning
any where event.dataset : ("iis.access", "apache_http_server.access")
  and user_agent.original : (
    "gobuster*", "DirBuster*", "feroxbuster*", "ffuf*", "wfuzz*",
    "nikto*", "dirsearch*", "nuclei*", "dirb/*"
  )
  and http.response.status_code == 404

medium severity medium confidence

Data Sources

Web Server Logs IIS Logs

Required Tables

logs-apache_http_server.* logs-iis.access-*

False Positives

Internal vulnerability scanners (Nessus, Qualys, Tenable, Rapid7) running authorized scans from known IPs with recognizable User-Agent strings
Authorized penetration testing engagements by third-party firms using gobuster, ffuf, DirBuster, or similar tools
Legitimate SEO crawlers, web archival bots (archive.org), or monitoring services that probe large numbers of URLs and generate 404s
CI/CD pipeline integration tests or automated health checks that probe non-existent endpoints at high frequency

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("useragent") ILIKE '%gobuster%' OR LOWER("useragent") ILIKE '%dirbuster%' OR LOWER("useragent") ILIKE '%feroxbuster%' OR LOWER("useragent") ILIKE '%ffuf%' AND "responsecode" = '404' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("useragent") ILIKE '%gobuster%' OR LOWER("useragent") ILIKE '%dirbuster%' OR LOWER("useragent") ILIKE '%feroxbuster%' OR LOWER("useragent") ILIKE '%ffuf%' AND "responsecode" = '404')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity medium confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Internal vulnerability scanners (Nessus, Qualys, Tenable, Rapid7) running authorized scans from known IPs with recognizable User-Agent strings
Authorized penetration testing engagements by third-party firms using gobuster, ffuf, DirBuster, or similar tools
Legitimate SEO crawlers, web archival bots (archive.org), or monitoring services that probe large numbers of URLs and generate 404s
CI/CD pipeline integration tests or automated health checks that probe non-existent endpoints at high frequency

Sumo Logic CSE

sql

_sourceCategory=*web* OR _sourceCategory=*iis* OR _sourceCategory=*apache*
| parse regex "(?<client_ip>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) - (?<user>[^ ]+) .* \"(?<method>[A-Z]+) (?<uri>[^ ]+).*\" (?<status>\\d+)"
| count by client_ip, uri
| sort by _count desc

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

web/access iis/access

False Positives

Internal vulnerability scanners (Nessus, Qualys, Tenable, Rapid7) running authorized scans from known IPs with recognizable User-Agent strings
Authorized penetration testing engagements by third-party firms using gobuster, ffuf, DirBuster, or similar tools
Legitimate SEO crawlers, web archival bots (archive.org), or monitoring services that probe large numbers of URLs and generate 404s
CI/CD pipeline integration tests or automated health checks that probe non-existent endpoints at high frequency

Google Chronicle / SecOps

yaral

rule t1595_003_wordlist_scanning {
  meta:
    author = "df00tech"
    description = "Detects Wordlist Scanning (T1595.003)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1595.003"
    confidence = "medium"
    severity = "medium"
  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.principal.ip != ""
  condition:
    $e
}

medium severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

NETWORK_HTTP NETWORK_CONNECTION

False Positives

Internal vulnerability scanners (Nessus, Qualys, Tenable, Rapid7) running authorized scans from known IPs with recognizable User-Agent strings
Authorized penetration testing engagements by third-party firms using gobuster, ffuf, DirBuster, or similar tools
Legitimate SEO crawlers, web archival bots (archive.org), or monitoring services that probe large numbers of URLs and generate 404s
CI/CD pipeline integration tests or automated health checks that probe non-existent endpoints at high frequency

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /python|curl|wget|nmap|masscan/i
| TechniqueLabel := "T1595.003 - Reconnaissance"
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])

medium severity medium confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

HttpRequest ProcessRollup2

False Positives

Internal vulnerability scanners (Nessus, Qualys, Tenable, Rapid7) running authorized scans from known IPs with recognizable User-Agent strings
Authorized penetration testing engagements by third-party firms using gobuster, ffuf, DirBuster, or similar tools
Legitimate SEO crawlers, web archival bots (archive.org), or monitoring services that probe large numbers of URLs and generate 404s
CI/CD pipeline integration tests or automated health checks that probe non-existent endpoints at high frequency

Wordlist Scanning

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections