🐾 - 🚨 Deprecated NTLMv2 basic (no SSP) authentication performed [Obsolete Windows πŸͺŸ 10 or prior version] - Possible Responder 🎩 LM downgrade for Net-NTLMv2 hash capturing πŸ₯· - S0174

SID: 3300143Rev: 60 views
Sourcepawpatrules
CreatedAugust 4, 2023
UpdatedFebruary 18, 2024
Classificationcredential-theft
alert tcp any any -> any 445 (msg:"🐾 - 🚨 Deprecated NTLMv2 basic (no SSP) authentication performed [Obsolete Windows πŸͺŸ 10 or prior version] - Possible Responder 🎩 LM downgrade for Net-NTLMv2 hash capturing πŸ₯· - S0174"; flow:to_server, stateless; content:"|ff 53 4d 42 73 00 00 00 00|"; content:"|d4 00 00 00|"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; content:"|01 01|"; distance:16; reference:url,https://www.cert.ssi.gouv.fr/actualite/CERTFR-2016-ACT-039/; reference:url,https://g-laurent.blogspot.com/; reference:url,https://github.com/lgandx/Responder; reference:url,https://attack.mitre.org/software/S0174/; reference:url,https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4; reference:url,https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers; metadata:created_at 2023_08_04, updated_at 2024_02_18; sid:3300143; rev:6; classtype:credential-theft;)

References

urlhttps://www.cert.ssi.gouv.fr/actualite/CERTFR-2016-ACT-039/
urlhttps://g-laurent.blogspot.com/
urlhttps://github.com/lgandx/Responder
urlhttps://attack.mitre.org/software/S0174/
urlhttps://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4
urlhttps://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers

Metadata

created at2023_08_04
updated at2024_02_18

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!