title: Wordlist Scanning (T1595.003)
id: df00tech-t1595-003
status: experimental
description: "Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques with wordlists to identify content and infrastructure rather than valid credentials. Web content discovery tools such as Dirb, DirBuster, GoBuster, ffuf, and feroxbuster enumerate websites' pages, directories, and hidden administrative portals using generic or target-specific wordlists. Cloud-targeted tools such as s3recon and GCPBucketBrute enumerate public and private cloud storage buckets using globally unique naming patterns. Discovery of exposed content can enable follow-on operations such as exploiting vulnerable pages, accessing sensitive data in cloud storage, or identifying attack surfaces for credential brute-forcing. APT41 and Volatile Cedar (Lebanese Cedar) are known to use directory brute-forcing tools as part of their initial reconnaissance phase."
references:
  - https://attack.mitre.org/techniques/T1595/003/
  - https://df00tech.com/detections/T1595.003
author: df00tech
date: 2026/03/13
tags:
  - attack.t1595.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Internal vulnerability scanners (Nessus, Qualys, Tenable, Rapid7) running authorized scans from known IPs with recognizable User-Agent strings"
  - "Authorized penetration testing engagements by third-party firms using gobuster, ffuf, DirBuster, or similar tools"
  - "Legitimate SEO crawlers, web archival bots (archive.org), or monitoring services that probe large numbers of URLs and generate 404s"
  - CI/CD pipeline integration tests or automated health checks that probe non-existent endpoints at high frequency
  - CDN or load balancer health probes that request synthetic paths and accumulate 404 errors at the origin
level: medium