Active Scanning: Wordlist Scanning

Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to Brute Force, its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: Gather Victim Org Information, or Search Victim-Owned Websites).

For example, adversaries may use web content discovery tools such as Dirb, DirBuster, and GoBuster and generic or custom wordlists to enumerate a website’s pages and directories.[1] This can help them to discover old, vulnerable pages or hidden administrative portals that could become the target of further operations (ex: Exploit Public-Facing Application or Brute Force).

As cloud storage solutions typically use globally unique names, adversaries may also use target-specific wordlists and tools such as s3recon and GCPBucketBrute to enumerate public and private buckets on cloud infrastructure.[2][3] Once storage objects are discovered, adversaries may leverage Data from Cloud Storage to access valuable information that can be exfiltrated or used to escalate privileges and move laterally.

ID: T1595.003
Sub-technique of:  T1595
Tactic: Reconnaissance
Platforms: PRE
Contributors: Elvis Veliz, Citi; Jan Petrov, Citi; Richard Julian, Citi
Version: 1.0
Created: 04 March 2022
Last Modified: 15 April 2022

Procedure Examples

ID Name Description
G0096 APT41

APT41 leverages various tools and frameworks to brute-force directories on web servers.[4]

G0123 Volatile Cedar

Volatile Cedar has used DirBuster and GoBuster to brute force web directories and DNS subdomains.[1]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Remove or disable access to any systems, resources, and infrastructure that are not explicitly required to be available externally.

M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Content

Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).

References