🐾 - 🔔 HTTP - Suspicious accepted response for NTLMSSP_CHALLENGE 🪟 Possible Responder NTLMv2 response for 🎩 Active Directory credentials capturing 🥷 - T1040 - Suricata Rule 3321412 (pawpatrules)

🐾 - 🔔 HTTP - Suspicious accepted response for NTLMSSP_CHALLENGE 🪟 Possible Responder NTLMv2 response for 🎩 Active Directory credentials capturing 🥷 - T1040

SID: 3321412Rev: 2Enabled113 viewsHistory

FilePAW-PATRULES_LATERAL_MOVEMENT.rules

CreatedFebruary 15, 2025

UpdatedJune 9, 2026

Classificationcredential-theft

alert http any any -> any any (msg:"🐾 - 🔔 HTTP - Suspicious accepted response for NTLMSSP_CHALLENGE 🪟 Possible Responder NTLMv2 response for 🎩 Active Directory credentials capturing 🥷 - T1040"; flow:to_client, stateless; http.protocol; content:"HTTP/1.1"; http.server; content:"Microsoft-IIS"; http.content_type; content:"text/html"; http.stat_code; content:"200"; http.header.raw; content:"WWW-Authenticate: NTLM"; http.content_len; content:"0"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1040/; reference:url,https://attack.mitre.org/software/S0174; reference:url,https://github.com/SpiderLabs/Responder; metadata:created_at 2025_02_15, updated_at 2026_06_09, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1040, mitre_technique_name Network_Sniffing; sid:3321412; rev:2; classtype:credential-theft;)

References

url	https://attack.mitre.org/techniques/T1040/
url	https://attack.mitre.org/software/S0174
url	https://github.com/SpiderLabs/Responder

Metadata

created at2025_02_15

updated at2026_06_09

signature severityMajor

attack targetClient_Endpoint

affected productWindows_XP_Vista_7_8_10_11_Server_32_64_Bit

mitre tactic idTA0006

mitre tactic nameCredential_Access

mitre technique idT1040

mitre technique nameNetwork_Sniffing

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!