Versions (2)
Version DetailsCurrent
Rev: 11 • Jan 6, 2024, 12:00 PM🐾 - 🔔 SMB - Suspicious session setup response for NTLMSSP_CHALLENGE 🪟 Possible Responder NTLMv2 response for 🎩 Active Directory or Windowscredentials capturing 🥷 - T1040
alert tcp any 445 -> any any (msg:"🐾 - 🔔 SMB - Suspicious session setup response for NTLMSSP_CHALLENGE 🪟 Possible Responder NTLMv2 response for 🎩 Active Directory or Windowscredentials capturing 🥷 - T1040"; flow:to_client, stateless; content:"|fe 53 4d 42 40 00|"; content:"|16 00 00 c0 01 00|"; content:"|01 00 00 00 00 00 00 00|"; content:"|ff fe 00 00 00 00 00 00|"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; content:"|09 00 00 00 48 00|"; content:"|4e 54 4c 4d 53 53 50 00 02 00 00 00|"; content:"|08 00 08 00 38 00 00 00|"; content:"|a6 00 a6 00 40 00 00 00|"; content:"|02 00 08 00|"; content:"|01 00 1e 00 57 00 49 00 4e 00 2d 00|"; content:"|05 00 14 00|"; content:"|06 03 80 25 00 00 00 0f|"; content:"|00 00 00 00|"; endswith; reference:url,https://attack.mitre.org/techniques/T1040/; reference:url,https://attack.mitre.org/software/S0174; reference:url,https://github.com/SpiderLabs/Responder; metadata:created_at 2024_01_06, updated_at 2026_05_26, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1040, mitre_technique_name Network_Sniffing; sid:3301112; rev:11; classtype:credential-theft;)
Jan 6, 2024, 12:00 PM
May 26, 2026, 12:00 PM
Feb 21, 2024, 4:00 PM
May 26, 2026, 8:35 PM
rules/PAW-PATRULES_LATERAL_MOVEMENT.rules