Removed rule. This rule is known, but it is no longer present in its source. Showing the last known version.Removed: Jun 9, 2026, 9:23 PM

🐾 - 🔔 HTTP - NTLMSSP_AUTH 🪟 Possible NTLMv2 Active Directory credentials capturing 🥷 - T1040

SID: 3321479Rev: 5Enabled6 viewsHistory
FilePAW-PATRULES_LATERAL_MOVEMENT.rules
CreatedJune 9, 2026
UpdatedJune 9, 2026
Classificationcredential-theft
alert http any any -> any any (msg:"🐾 - 🔔 HTTP - NTLMSSP_AUTH 🪟 Possible NTLMv2 Active Directory credentials capturing 🥷 - T1040"; flow:to_server, stateless; http.method; content:"GET"; http.protocol; content:"HTTP/1.1"; http.request_body; content:"|41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 4e 65 67 6f 74 69 61 74 65 20|"; content:"|4e 54 4c 4d 53 53 50 00|"; fast_pattern; content:"|03 00 00 00|"; distance:0; reference:url,https://attack.mitre.org/techniques/T1040/; reference:url,https://attack.mitre.org/software/S0174; reference:url,https://github.com/SpiderLabs/Responder; metadata:created_at 2026_06_09, updated_at 2026_06_09, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1040, mitre_technique_name Network_Sniffing; sid:3321479; rev:5; classtype:credential-theft;)

Metadata

created at2026_06_09
updated at2026_06_09
signature severityMajor
attack targetClient_Endpoint
affected productWindows_XP_Vista_7_8_10_11_Server_32_64_Bit
mitre tactic idTA0006
mitre tactic nameCredential_Access
mitre technique idT1040
mitre technique nameNetwork_Sniffing

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!