T1595.003 IBM QRadar · QRadar

Detect Wordlist Scanning in IBM QRadar

Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques with wordlists to identify content and infrastructure rather than valid credentials. Web content discovery tools such as Dirb, DirBuster, GoBuster, ffuf, and feroxbuster enumerate websites' pages, directories, and hidden administrative portals using generic or target-specific wordlists. Cloud-targeted tools such as s3recon and GCPBucketBrute enumerate public and private cloud storage buckets using globally unique naming patterns. Discovery of exposed content can enable follow-on operations such as exploiting vulnerable pages, accessing sensitive data in cloud storage, or identifying attack surfaces for credential brute-forcing. APT41 and Volatile Cedar (Lebanese Cedar) are known to use directory brute-forcing tools as part of their initial reconnaissance phase.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1595 Active Scanning
Sub-technique
T1595.003 Wordlist Scanning
Canonical reference
https://attack.mitre.org/techniques/T1595/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("useragent") ILIKE '%gobuster%' OR LOWER("useragent") ILIKE '%dirbuster%' OR LOWER("useragent") ILIKE '%feroxbuster%' OR LOWER("useragent") ILIKE '%ffuf%' AND "responsecode" = '404' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("useragent") ILIKE '%gobuster%' OR LOWER("useragent") ILIKE '%dirbuster%' OR LOWER("useragent") ILIKE '%feroxbuster%' OR LOWER("useragent") ILIKE '%ffuf%' AND "responsecode" = '404')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS
medium severity medium confidence

QRadar AQL detection for Wordlist Scanning (T1595.003). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.

Data Sources

QRadar SIEMWindows Security EventsNetwork Firewall LogsSyslog

Required Tables

events

False Positives & Tuning

  • Internal vulnerability scanners (Nessus, Qualys, Tenable, Rapid7) running authorized scans from known IPs with recognizable User-Agent strings
  • Authorized penetration testing engagements by third-party firms using gobuster, ffuf, DirBuster, or similar tools
  • Legitimate SEO crawlers, web archival bots (archive.org), or monitoring services that probe large numbers of URLs and generate 404s
  • CI/CD pipeline integration tests or automated health checks that probe non-existent endpoints at high frequency
Download portable Sigma rule (.yml)

Other platforms for T1595.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1GoBuster Directory Enumeration Against Localhost

    Expected signal: Sysmon Event ID 1 (Linux): Process Create with Image=/usr/bin/gobuster or similar, CommandLine containing 'dir -u http://127.0.0.1 -w'. Web server access logs: rapid high-volume requests from 127.0.0.1 with User-Agent containing 'gobuster/2.x' or similar gobuster version string, majority returning HTTP 404. Sysmon Event ID 3: network connections from gobuster process to 127.0.0.1:80.

  2. Test 2ffuf Web Content Discovery with Wordlist

    Expected signal: Process creation event with FileName=ffuf, CommandLine containing '-u http://127.0.0.1/FUZZ -w raft-small-words.txt'. Web server access logs: rapid requests from 127.0.0.1 with User-Agent 'Fuzz Faster U Fool v2.x.x'. Sysmon Event ID 3: outbound TCP connections from ffuf process to 127.0.0.1:80.

  3. Test 3Custom Python Wordlist Scanner (No Tool User-Agent)

    Expected signal: Web server access logs: 35 requests from 127.0.0.1 with generic browser User-Agent across 35 unique URI paths, majority returning HTTP 404. Sysmon Event ID 1: python3 process creation with inline script containing 'requests.get'. KQL Branch 2 requires RequestCount > 200 — extend wordlist or reduce threshold during tuning. SPL HighVolume404Pattern requires error_requests > 200.

  4. Test 4Nikto Web Server Vulnerability and Content Scanner

    Expected signal: Process creation event: FileName=nikto or nikto.pl, CommandLine containing '-host http://127.0.0.1 -maxtime 30s'. Web server access logs: high-volume requests from 127.0.0.1 with User-Agent containing 'Nikto' (e.g., 'Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)'). Hundreds of varied HTTP requests including probes for /cgi-bin/, /.git/, /backup/, /.env, /phpinfo.php within 30 seconds.

Last updated: 2026-03-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1595.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1595Active Scanning

Related Sub-techniques

T1595.001Scanning IP BlocksT1595.002Vulnerability Scanning

Related Techniques

T1595Active ScanningT1595.001Scanning IP BlocksT1595.002Vulnerability ScanningT1594Search Victim-Owned WebsitesT1591Gather Victim Org InformationT1190Exploit Public-Facing ApplicationT1110Brute ForceT1530Data from Cloud StorageT1083File and Directory Discovery

Same Tactic: Reconnaissance

Popular Detections