alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Windows Microsoft .XRM-MS File / NTLM Information Disclosure"; flow:established,to_client; file.data; content:"<?xml"; startswith; content:"href|3d 22 5c 5c|"; content:"|2f|DRM|2f|rightsManager"; fast_pattern; reference:url,seclists.org/fulldisclosure/2025/May/0; classtype:attempted-user; sid:2062513; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2025_05_22, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_05_22; target:dest_ip;)