DET0868: Detection of Wordlist Scanning
Wordlist scanning matters because it is often an early reconnaissance behavior: an actor probes for common paths, files, directories, application artifacts...
Analyst context for executives and security teams
Wordlist scanning matters because it is often an early reconnaissance behavior: an actor probes for common paths, files, directories, application artifacts, or infrastructure clues before deciding what to target next. For leaders, the value of this detection strategy is not a guaranteed alert, but a coverage question: can the organization see and triage unusual discovery activity against internet-facing assets before it becomes an incident-response problem?
Executive priority
Prioritize this as part of external attack surface monitoring, SOC readiness, and incident triage for internet-facing services. Because the ATT&CK object has no official detection text, platforms, or tactics specified, executives should treat DET0868 as a prompt to validate whether existing web, edge, and exposure telemetry can support evidence-based decisions about reconnaissance against public infrastructure.
Technical view
DET0868 is a detection strategy for T1595.003 Wordlist Scanning, which ATT&CK places under reconnaissance with PRE platform context. SOC and detection teams should validate whether they can identify iterative probing patterns for common or software-specific names and file extensions, distinguish them from normal search engine, vulnerability management, and availability monitoring traffic, and correlate activity across source, destination, URI/path, response code, user agent, and time window. Since no official detection logic is supplied, local baselining and environment-specific tuning are required.
Likely telemetry
- Web server and reverse proxy access logs
- WAF, CDN, load balancer, and API gateway request logs where applicable
- Internet-facing asset inventory and exposure management data
- DNS and network flow metadata for public services
- HTTP request attributes such as URI/path, method, status code, user agent, source IP, host header, and timestamp
Detection direction
- Validate visibility across public-facing applications and infrastructure rather than assuming endpoint telemetry will show reconnaissance activity.
- Look for high-volume or iterative requests for many uncommon, nonexistent, sensitive-looking, or software-specific paths from the same source or coordinated sources.
- Tune against expected benign crawlers, search indexing, uptime checks, QA automation, and authorized vulnerability scanning to reduce false positives.
- Correlate request patterns with asset criticality and exposure; scanning against administrative portals or high-value applications should carry higher triage priority.
- Document gaps where logs are sampled, retained too briefly, hidden behind third-party edge services, or not normalized into the SIEM/data lake.
Mitigation priorities
- Maintain an accurate inventory of internet-facing assets and owners so reconnaissance alerts can be routed quickly.
- Ensure edge, web, and application logs are collected with enough detail and retention to support investigation.
- Establish known-good sources for approved scanning, monitoring, and search crawler activity before enforcing alert thresholds.
- Use exposure reduction and hardening practices for public services, especially removal of unnecessary files, default content, and discoverable administrative paths.
- Include wordlist-scanning scenarios in detection validation and incident-response playbooks so analysts know when to escalate reconnaissance into containment or owner notification.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy, not a full technique description, and contains no official description or detection guidance. The strongest source-supported context is its relationship to T1595.003 Wordlist Scanning, a reconnaissance technique involving iterative probing to identify content and infrastructure rather than credentials.
Platforms and tactics are not specified on the detection strategy itself, and no official detection analytic, data source list, thresholds, or mitigation text was supplied. Any production detection must be validated against the organization’s public asset footprint, logging architecture, normal crawler/scanner traffic, and business-approved testing activity.
Detection of Wordlist Scanning
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1595.003 | Wordlist Scanning Sub-technique | This object detects Wordlist Scanning. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b6d3749cd220… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0868Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.