Home/ATT&CK Technique/Wordlist Scanning
ATT&CK Technique

Wordlist Scanning

T1595.003 · reconnaissance

Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to Brute Force, its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software.

Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: Gather Victim Org Information, or Search Victim-Owned Websites). For example, adversaries may use web content discovery tools such as Dirb, DirBuster, and GoBuster and generic or custom wordlists to enumerate a website’s pages and directories. This can help them to discover old, vulnerable pages or hidden administrative portals that could become the target of further operations (ex: Exploit Public-Facing Application or Brute Force).

As cloud storage solutions typically use globally unique names, adversaries may also use target-specific wordlists and tools such as s3recon and GCPBucketBrute to enumerate public and private buckets on cloud infrastructure. Once storage objects are discovered, adversaries may leverage Data from Cloud Storage to access valuable information that can be exfiltrated or used to escalate privileges and move laterally.

PRE

Actors Using This

3
chinaAPT41
chinaEarth Krahang
chinaFlax Typhoon

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
reconnaissance same
T1595 · Active Scanning ×34.00T1595.002 · Vulnerability Scanning ×34.00
execution later
T1574.001 · DLL ×1.84T1059.007 · JavaScript ×1.75
persistence later
T1136 · Create Account ×3.61
credential-access later
T1110 · Brute Force ×3.09T1555.003 · Credentials from Web Browsers ×1.86
discovery later
T1012 · Query Registry ×4.18T1069 · Permission Groups Discovery ×1.82
lateral-movement later
T1570 · Lateral Tool Transfer ×2.43T1021.002 · SMB/Windows Admin Shares ×1.95T1021.001 · Remote Desktop Protocol ×1.87
collection later
T1074.001 · Local Data Staging ×2.02
command-and-control later
T1573.002 · Asymmetric Cryptography ×2.77
exfiltration later
T1048 · Exfiltration Over Alternative Protocol ×2.48

Atomic Tests

1
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
powershellwindows, linux, macosWeb Server Wordlist Scan
This test will scan a target system with a wordlist of common directories and file paths. 
Import-Module "PathToAtomicsFolder/T1595.003/src/WebServerScan.ps1"
Invoke-WordlistScan -Target "#{target}" -Wordlist "#{wordlist}" -Timeout "#{request_timeout}" -OutputFile "#{output_file}"
Write-Host "Scan complete. Results saved to: #{output_file}"

Mitigations

2
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1042Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled.

Remove Legacy Software
  • Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash).
  • Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.
Disable Unused Features
  • Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required.
  • Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.
Control Applications Installed by Users
  • Use Case: Prevent users from installing unauthorized software via group policies or other management tools.
  • Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.
Remove Unnecessary Services
  • Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices.
  • Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.
Restrict Add-ons and Plugins
  • Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes.
  • Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.
M1056Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations.

Limit Information Exposure
  • Regularly audit and sanitize publicly available data, including job posts, websites, and social media.
  • Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.
Protect Domain and DNS Infrastructure
  • Enable DNSSEC and use WHOIS privacy protection.
  • Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.
External Monitoring
  • Use tools like Shodan, Censys to monitor your external attack surface.
  • Deploy external vulnerability scanners to proactively address weaknesses.
Threat Intelligence
  • Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.
Content and Email Protections
  • Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast.
  • Enforce SPF/DKIM/DMARC policies to protect against email spoofing.
Training and Awareness
  • Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Detection Coverage

0/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53SC-04
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin