Rule History

alert tcp any 80 -> any any (msg:"🐾 - 🔔 HTTP - Suspicious accepted WebDAV response for NTLMSSP_CHALLENGE 🪟 Possible Responder NTLMv2 response for 🎩 Active Directory or Windows credentials capturing 🥷 - T1040"; flow: to_client, stateless; http.protocol; content:"HTTP/1.1"; http.server; content:"Microsoft-IIS/"; http.content_type; content:"text/html"; http.response_line; content:"HTTP/1.1 200 OK"; http.header.raw; content:"WWW-Authenticate: NTLM"; http.response_body; content:"|2f 70 69 63 74 75 72 65 73 2f 6c 6f 67 6f 2e 6a 70 67 27 20 61 6c 74 3d 27 4c 6f 61 64 69 6e 67 27 20 68 65 69 67 68 74 3d 27 31 27 20 77 69 64 74 68 3d 27 31 27 3e|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1040/; reference:url,https://attack.mitre.org/software/S0174; reference:url,https://github.com/SpiderLabs/Responder; metadata:created_at 2024_01_25, updated_at 2026_05_26, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1040, mitre_technique_name Network_Sniffing; sid:3301124; rev:20; classtype:credential-theft;)