Description
Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to Brute Force, its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: Gather Victim Org Information, or Search Victim-Owned Websites).
For example, adversaries may use web content discovery tools such as Dirb, DirBuster, and GoBuster and generic or custom wordlists to enumerate a website’s pages and directories.(Citation: ClearSky Lebanese Cedar Jan 2021) This can help them to discover old, vulnerable pages or hidden administrative portals that could become the target of further operations (ex: Exploit Public-Facing Application or Brute Force).
As cloud storage solutions typically use globally unique names, adversaries may also use target-specific wordlists and tools such as s3recon and GCPBucketBrute to enumerate public and private buckets on cloud infrastructure.(Citation: S3Recon GitHub)(Citation: GCPBucketBrute) Once storage objects are discovered, adversaries may leverage Data from Cloud Storage to access valuable information that can be exfiltrated or used to escalate privileges and move laterally.
Subdomain Enumeration Tools
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (2)
Disable or Remove Feature or ProgramM1042
Remove or disable access to any systems, resources, and infrastructure that are not explicitly required to be available externally.
Pre-compromiseM1056
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) leverages various tools and frameworks to brute-force directories on web servers.(Citation: Rostovcev A... |
| G0123 | Volatile Cedar | [Volatile Cedar](https://attack.mitre.org/groups/G0123) has used DirBuster and GoBuster to brute force web directories and DNS subdomains.(Citation: C... |
References
- ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
- Spencer Gietzen. (2019, February 26). Google Cloud Platform (GCP) Bucket Enumeration and Privilege Escalation. Retrieved March 4, 2022.
- Travis Clarke. (2020, March 21). S3Recon GitHub. Retrieved March 4, 2022.
Frequently Asked Questions
What is T1595.003 (Wordlist Scanning)?
T1595.003 is a MITRE ATT&CK technique named 'Wordlist Scanning'. It belongs to the Reconnaissance tactic(s). Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to [Brute Force](https://attack.mitre.org/techniques/T1110),...
How can T1595.003 be detected?
Detection of T1595.003 (Wordlist Scanning) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1595.003?
There are 2 documented mitigations for T1595.003. Key mitigations include: Disable or Remove Feature or Program, Pre-compromise.
Which threat groups use T1595.003?
Known threat groups using T1595.003 include: APT41, Volatile Cedar.