Rule History

alert tcp any 445 -> any any (msg:"🐾 - 🔔 SMBv1 - Suspicious session setup response for NTLMSSP_CHALLENGE 🪟 Possible Responder NTLMv1 response for 🎩 Active Directory or Windows credentials capturing 🥷 - T1040"; flow: to_client, stateless; content:"|ff 53 4d 42|"; content:"|73|"; distance:0; content:"|16 00 00 c0|"; content:"|88|"; distance:0; content:"|01 c8|"; distance:0; content:"|00 00|"; distance:0; content:"|9a 00 9a 00 40 00 00 00|"; content:"|4e 54 4c 4d 53 53 50 00 02 00 00 00|"; content:"|15 82 89 e2|"; content:"|05 02 ce 0e 00 00 00 0f|"; fast_pattern; content:"|00 00 00|"; endswith; reference:url,https://attack.mitre.org/techniques/T1040/; reference:url,https://attack.mitre.org/software/S0174; reference:url,https://github.com/SpiderLabs/Responder; metadata:created_at 2026_05_26, updated_at 2026_05_26, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1040, mitre_technique_name Network_Sniffing; sid:3321492; rev:5; classtype:credential-theft;)