MITRE ATT&CK Technique
Description
Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to [Brute Force](https://attack.mitre.org/techniques/T1110), its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591), or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). For example, adversaries may use web content discovery tools such as Dirb, DirBuster, and GoBuster and generic or custom wordlists to enumerate a website’s pages and directories.(Citation: ClearSky Lebanese Cedar Jan 2021) This can help them to discover old, vulnerable pages or hidden administrative portals that could become the target of further operations (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [Brute Force](https://attack.mitre.org/techniques/T1110)). As cloud storage solutions typically use globally unique names, adversaries may also use target-specific wordlists and tools such as s3recon and GCPBucketBrute to enumerate public and private buckets on cloud infrastructure.(Citation: S3Recon GitHub)(Citation: GCPBucketBrute) Once storage objects are discovered, adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530) to access valuable information that can be exfiltrated or used to escalate privileges and move laterally.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2022-03-04T18:56:38.844Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may iteratively probe infrastructure using '
'brute-forcing and crawling techniques. While this technique '
'employs similar methods to [Brute '
'Force](https://attack.mitre.org/techniques/T1110), its goal '
'is the identification of content and infrastructure rather '
'than the discovery of valid credentials. Wordlists used in '
'these scans may contain generic, commonly used names and file '
'extensions or terms specific to a particular software. '
'Adversaries may also create custom, target-specific wordlists '
'using data gathered from other Reconnaissance techniques (ex: '
'[Gather Victim Org '
'Information](https://attack.mitre.org/techniques/T1591), or '
'[Search Victim-Owned '
'Websites](https://attack.mitre.org/techniques/T1594)).\n'
'\n'
'For example, adversaries may use web content discovery tools '
'such as Dirb, DirBuster, and GoBuster and generic or custom '
'wordlists to enumerate a website’s pages and '
'directories.(Citation: ClearSky Lebanese Cedar Jan 2021) This '
'can help them to discover old, vulnerable pages or hidden '
'administrative portals that could become the target of '
'further operations (ex: [Exploit Public-Facing '
'Application](https://attack.mitre.org/techniques/T1190) or '
'[Brute Force](https://attack.mitre.org/techniques/T1110)). \n'
'\n'
'As cloud storage solutions typically use globally unique '
'names, adversaries may also use target-specific wordlists and '
'tools such as s3recon and GCPBucketBrute to enumerate public '
'and private buckets on cloud infrastructure.(Citation: '
'S3Recon GitHub)(Citation: GCPBucketBrute) Once storage '
'objects are discovered, adversaries may leverage [Data from '
'Cloud Storage](https://attack.mitre.org/techniques/T1530) to '
'access valuable information that can be exfiltrated or used '
'to escalate privileges and move laterally. ',
'external_references': [{'external_id': 'T1595.003',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1595/003'},
{'description': 'ClearSky Cyber Security. (2021, '
'January). “Lebanese Cedar” APT '
'Global Lebanese Espionage Campaign '
'Leveraging Web Servers. Retrieved '
'February 10, 2021.',
'source_name': 'ClearSky Lebanese Cedar Jan 2021',
'url': 'https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf'},
{'description': 'Spencer Gietzen. (2019, February '
'26). Google Cloud Platform (GCP) '
'Bucket Enumeration and Privilege '
'Escalation. Retrieved March 4, 2022.',
'source_name': 'GCPBucketBrute',
'url': 'https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/'},
{'description': 'Travis Clarke. (2020, March 21). '
'S3Recon GitHub. Retrieved March 4, '
'2022.',
'source_name': 'S3Recon GitHub',
'url': 'https://github.com/clarketm/s3recon'}],
'id': 'attack-pattern--bed04f7d-e48a-4e76-bd0f-4c57fe31fc46',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'reconnaissance'}],
'modified': '2025-10-24T17:49:18.777Z',
'name': 'Wordlist Scanning',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Jan Petrov, Citi',
'Elvis Veliz, Citi',
'Richard Julian, Citi'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.0'}