T1595.003 Splunk · SPL

Detect Wordlist Scanning in Splunk

Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques with wordlists to identify content and infrastructure rather than valid credentials. Web content discovery tools such as Dirb, DirBuster, GoBuster, ffuf, and feroxbuster enumerate websites' pages, directories, and hidden administrative portals using generic or target-specific wordlists. Cloud-targeted tools such as s3recon and GCPBucketBrute enumerate public and private cloud storage buckets using globally unique naming patterns. Discovery of exposed content can enable follow-on operations such as exploiting vulnerable pages, accessing sensitive data in cloud storage, or identifying attack surfaces for credential brute-forcing. APT41 and Volatile Cedar (Lebanese Cedar) are known to use directory brute-forcing tools as part of their initial reconnaissance phase.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1595 Active Scanning
Sub-technique
T1595.003 Wordlist Scanning
Canonical reference
https://attack.mitre.org/techniques/T1595/003/

SPL Detection Query

Splunk (SPL)
spl 
index=web sourcetype=access_combined
| eval scanner_ua=if(match(lower(useragent), "gobuster|dirbuster|feroxbuster|ffuf|wfuzz|nikto|dirsearch|nuclei|wapiti|skipfish|sqlmap|s3recon|gcpbucketbrute|dirb/|w3af|commix"), 1, 0)
| eval is_error=if(status=="404" OR status=="403", 1, 0)
| stats
    count as total_requests,
    sum(scanner_ua) as scanner_ua_requests,
    sum(is_error) as error_requests,
    dc(uri) as unique_uris,
    first(useragent) as primary_ua,
    min(_time) as first_seen,
    max(_time) as last_seen
  by clientip, host
| eval scan_duration_minutes=round((last_seen - first_seen) / 60, 1)
| eval detection_type=case(
    scanner_ua_requests > 0 AND error_requests > 50, "KnownScanner_HighErrorVolume",
    scanner_ua_requests > 0, "KnownScannerUserAgent",
    error_requests > 200 AND unique_uris > 100, "HighVolume404Pattern",
    1=1, null()
)
| where isnotnull(detection_type)
| eval suspicion_score=case(
    scanner_ua_requests > 0 AND error_requests > 100, 4,
    scanner_ua_requests > 0, 3,
    error_requests > 500 AND unique_uris > 250, 3,
    error_requests > 200 AND unique_uris > 100, 2,
    1=1, 1
)
| table first_seen, last_seen, clientip, host, primary_ua, total_requests, unique_uris, error_requests, scan_duration_minutes, detection_type, suspicion_score
| sort - suspicion_score - first_seen
medium severity medium confidence

Detects web wordlist scanning using Apache/Nginx access logs (access_combined sourcetype). Evaluates each source IP's request pattern across two dimensions: presence of known scanning tool User-Agent strings and high-volume HTTP 404/403 error rate with high unique URI cardinality. Assigns a cumulative suspicion score (1-4) based on combined indicators for analyst prioritization. Compatible with both Apache httpd and Nginx logs normalized to access_combined format.

Data Sources

Application Log: Application Log ContentNetwork Traffic: Network Traffic ContentWeb Server Access Logs

Required Sourcetypes

access_combined

False Positives & Tuning

  • Internal vulnerability scanners running authorized scheduled scans with scanner User-Agents from known internal IP ranges
  • Authorized penetration testing using ffuf, gobuster, or DirBuster during engagement windows
  • Legitimate high-volume web crawlers (Googlebot, Bingbot, archive.org) that request large numbers of paths
  • Load testing tools (JMeter, Locust, k6) exercising application endpoints with synthetic URL patterns at high rates
  • CDN or reverse proxy health checks that probe non-existent backend paths on a regular schedule
Download portable Sigma rule (.yml)

Other platforms for T1595.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1GoBuster Directory Enumeration Against Localhost

    Expected signal: Sysmon Event ID 1 (Linux): Process Create with Image=/usr/bin/gobuster or similar, CommandLine containing 'dir -u http://127.0.0.1 -w'. Web server access logs: rapid high-volume requests from 127.0.0.1 with User-Agent containing 'gobuster/2.x' or similar gobuster version string, majority returning HTTP 404. Sysmon Event ID 3: network connections from gobuster process to 127.0.0.1:80.

  2. Test 2ffuf Web Content Discovery with Wordlist

    Expected signal: Process creation event with FileName=ffuf, CommandLine containing '-u http://127.0.0.1/FUZZ -w raft-small-words.txt'. Web server access logs: rapid requests from 127.0.0.1 with User-Agent 'Fuzz Faster U Fool v2.x.x'. Sysmon Event ID 3: outbound TCP connections from ffuf process to 127.0.0.1:80.

  3. Test 3Custom Python Wordlist Scanner (No Tool User-Agent)

    Expected signal: Web server access logs: 35 requests from 127.0.0.1 with generic browser User-Agent across 35 unique URI paths, majority returning HTTP 404. Sysmon Event ID 1: python3 process creation with inline script containing 'requests.get'. KQL Branch 2 requires RequestCount > 200 — extend wordlist or reduce threshold during tuning. SPL HighVolume404Pattern requires error_requests > 200.

  4. Test 4Nikto Web Server Vulnerability and Content Scanner

    Expected signal: Process creation event: FileName=nikto or nikto.pl, CommandLine containing '-host http://127.0.0.1 -maxtime 30s'. Web server access logs: high-volume requests from 127.0.0.1 with User-Agent containing 'Nikto' (e.g., 'Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)'). Hundreds of varied HTTP requests including probes for /cgi-bin/, /.git/, /backup/, /.env, /phpinfo.php within 30 seconds.

Last updated: 2026-03-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1595.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1595Active Scanning

Related Sub-techniques

T1595.001Scanning IP BlocksT1595.002Vulnerability Scanning

Related Techniques

T1595Active ScanningT1595.001Scanning IP BlocksT1595.002Vulnerability ScanningT1594Search Victim-Owned WebsitesT1591Gather Victim Org InformationT1190Exploit Public-Facing ApplicationT1110Brute ForceT1530Data from Cloud StorageT1083File and Directory Discovery

Same Tactic: Reconnaissance

Popular Detections