Removed rule. This rule is known, but it is no longer present in its source. Showing the last known version.Removed: Jun 9, 2026, 9:23 PM
🐾 - 🔔 HTTP - NTLMSSP_AUTH 🪟 Possible NTLMv2 Active Directory credentials capturing 🥷 - T1040
Sourcepawpatrules
FilePAW-PATRULES_LATERAL_MOVEMENT.rules
CreatedJune 9, 2026
UpdatedJune 9, 2026
Classificationcredential-theft
alert http any any -> any any (msg:"🐾 - 🔔 HTTP - NTLMSSP_AUTH 🪟 Possible NTLMv2 Active Directory credentials capturing 🥷 - T1040"; flow:to_server, stateless ; http.method; content:"GET"; http.protocol; content:"HTTP/1.1"; http.request_body; content:"|41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 4e 65 67 6f 74 69 61 74 65 20|"; content:"|4e 54 4c 4d 53 53 50 00|"; fast_pattern; content:"|03 00 00 00|"; distance:0; reference:url,https://attack.mitre.org/techniques/T1040/ ; reference:url,https://attack.mitre.org/software/S0174 ; reference:url,https://github.com/SpiderLabs/Responder ; metadata:created_at 2026_06_09, updated_at 2026_06_09, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1040, mitre_technique_name Network_Sniffing; sid:3321479; rev:5; classtype:credential-theft;)
References
Metadata
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!