Version Details
Rev: 1 • May 26, 2026, 12:00 PM🐾 - 🔔 SMBv1 - Suspicious session setup response for NTLMSSP_CHALLENGE 🪟 Possible Responder NTLMv1 response for 🎩 Active Directory or Windows credentials capturing 🥷 - T1040
alert tcp any 445 -> any any (msg:"🐾 - 🔔 SMBv1 - Suspicious session setup response for NTLMSSP_CHALLENGE 🪟 Possible Responder NTLMv1 response for 🎩 Active Directory or Windows credentials capturing 🥷 - T1040"; flow:to_client, stateless; content:"|ff 53 4d 42 73|"; content:"|16 00 00 c0|"; content:"|88 01 c8 00 00 00 00 00 00 00 00 00 00|"; content:"|9a 00 9a 00 40 00 00 00|"; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 32 00 30 00 30 00 32 00 20 00 35 00 2e 00 31 00 00 00|"; fast_pattern; endswith; reference:url,https://attack.mitre.org/techniques/T1040/; reference:url,https://attack.mitre.org/software/S0174; reference:url,https://github.com/SpiderLabs/Responder; metadata:created_at 2026_05_26, updated_at 2026_05_26, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1040, mitre_technique_name Network_Sniffing; sid:3321492; rev:1; classtype:credential-theft;)
May 26, 2026, 12:00 PM
May 26, 2026, 12:00 PM
May 26, 2026, 8:35 PM
May 26, 2026, 8:35 PM
May 26, 2026, 9:17 PM
rules/PAW-PATRULES_LATERAL_MOVEMENT.rules