T1595.003: Wordlist Scanning
Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to Brute Force, its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: Gather Victim Org Information, or Search Victim-Owned Websites).
For example, adversaries may use web content discovery tools such as Dirb, DirBuster, and GoBuster and generic or custom wordlists to enumerate a website’s pages and directories.[1] This can help them to discover old, vulnerable pages or hidden administrative portals that could become the target of further operations (ex: Exploit Public-Facing Application or Brute Force).
As cloud storage solutions typically use globally unique names, adversaries may also use target-specific wordlists and tools such as s3recon and GCPBucketBrute to enumerate public and private buckets on cloud infrastructure.[2][3] Once storage objects are discovered, adversaries may leverage Data from Cloud Storage to access valuable information that can be exfiltrated or used to escalate privileges and move laterally.
Analyst context for executives and security teams
Wordlist scanning is pre-compromise reconnaissance where an adversary probes websites or cloud storage naming patterns to find hidden directories, old pages, administrative portals, or storage buckets. The business issue is not the scan itself; it is whether forgotten internet-facing content or discoverable cloud objects create a path to later exploitation, brute forcing, or cloud data access.
Executive priority
Treat this as an attack-surface management and readiness question. Leaders should ask whether public web assets, legacy applications, administrative paths, and cloud storage names are inventoried, intentionally exposed, monitored, and removable when unnecessary. This technique matters for resilience and audit evidence because it tests whether the organization can prove that exposed services and cloud storage are governed before an incident starts.
Technical view
This is a reconnaissance sub-technique under Active Scanning on the PRE platform. ATT&CK provides no official detection text, but the related detection strategy DET0868 indicates detection is expected to focus on wordlist-scanning behavior. SOC and detection teams should validate visibility into repeated requests for non-existent or uncommon paths, high-volume directory or file enumeration patterns, requests for administrative or legacy paths, and cloud bucket name enumeration attempts. IR teams should correlate any successful discoveries with follow-on risk areas explicitly referenced by ATT&CK: Exploit Public-Facing Application, Brute Force, and Data from Cloud Storage.
Likely telemetry
- Web server access logs for requested paths, response codes, user agents, source IPs, and request rates
- WAF, reverse proxy, CDN, and load balancer logs showing directory or file enumeration patterns
- Application logs for requests to legacy, hidden, or administrative routes
- Cloud storage access and audit logs for bucket/object discovery attempts and denied or successful access
- External attack-surface inventory showing public web applications, old pages, exposed admin portals, and cloud storage naming patterns
Detection direction
- Validate detections for bursts or sequences of requests using many common directory, file, extension, or software-specific names rather than single suspicious requests.
- Tune for high volumes of 404/403 responses mixed with occasional 200 responses, while accounting for benign vulnerability scanners, search engine crawlers, QA tools, and uptime monitoring.
- Correlate web enumeration with later authentication attempts, exploitation attempts against public-facing applications, or access to cloud storage objects.
- Confirm coverage exists at internet ingress points; endpoint-only telemetry will usually miss reconnaissance against externally hosted web or cloud storage surfaces.
- Use relationship context from Active Scanning and DET0868, but do not assume detection coverage because ATT&CK did not provide official detection details for this object.
Mitigation priorities
- Prioritize pre-compromise exposure reduction: maintain an accurate inventory of public web assets, administrative portals, legacy pages, and cloud storage resources.
- Apply M1042 by disabling or removing unnecessary, legacy, or vulnerable software, features, services, and web content that wordlist scanning could discover.
- Apply M1056 by limiting unnecessary public information and reducing attack-surface clues that could help build target-specific wordlists.
- Review cloud storage naming, permissions, and access logging so discovered storage objects do not automatically become accessible data sources.
- Use findings from scanning detections to drive vulnerability management and remediation priorities for exposed applications and storage.
Analyst notes and limits
ATT&CK links this behavior to generic and target-specific wordlists, web content discovery tools, and cloud bucket enumeration tools. Relationship context indicates use by APT41 and Volatile Cedar, but that should be treated as historical ATT&CK context, not evidence of current activity in any environment. The practical defensive value is confirming whether reconnaissance would reveal unmanaged assets and whether the SOC can see it early enough to guide response.
The official ATT&CK object does not include a detection section, so detection guidance must be validated against local architecture and available logs. The supplied platform is PRE, so this take does not assume endpoint, operating system, or vendor-specific coverage. Exposure and risk depend on the organization’s actual internet-facing assets and cloud storage configuration.
Wordlist Scanning
Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to Brute Force, its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: Gather Victim Org Information, or Search Victim-Owned Websites).
For example, adversaries may use web content discovery tools such as Dirb, DirBuster, and GoBuster and generic or custom wordlists to enumerate a website’s pages and directories.[1] This can help them to discover old, vulnerable pages or hidden administrative portals that could become the target of further operations (ex: Exploit Public-Facing Application or Brute Force).
As cloud storage solutions typically use globally unique names, adversaries may also use target-specific wordlists and tools such as s3recon and GCPBucketBrute to enumerate public and private buckets on cloud infrastructure.[2][3] Once storage objects are discovered, adversaries may leverage Data from Cloud Storage to access valuable information that can be exfiltrated or used to escalate privileges and move laterally.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1595 | Active Scanning | This object subtechnique of Active Scanning. |
Groups, software, and campaigns
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
G0123: Volatile Cedar
Volatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. Volatile Cedar has been operating since 2012 and is motivated by political and ideological interests.[1][2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c53817697a08… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ClearSky Lebanese Cedar Jan 2021
ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
Open source URL -
[2]
S3Recon GitHub
Travis Clarke. (2020, March 21). S3Recon GitHub. Retrieved March 4, 2022.
Open source URL -
[3]
GCPBucketBrute
Spencer Gietzen. (2019, February 26). Google Cloud Platform (GCP) Bucket Enumeration and Privilege Escalation. Retrieved March 4, 2022.
Open source URL -
[4]
mitre-attack T1595.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.