🐾 - 🔔 HTTP - Suspicious accepted WebDAV response for NTLMSSP_CHALLENGE 🪟 Possible Responder NTLMv2 response for 🎩 Active Directory or Windows credentials capturing 🥷 - T1040

SID: 3301124Rev: 202 views
History
Sourcepawpatrules
CreatedJanuary 25, 2024
UpdatedMay 26, 2026
Classificationcredential-theft
alert tcp any 80 -> any any (msg:"🐾 - 🔔 HTTP - Suspicious accepted WebDAV response for NTLMSSP_CHALLENGE 🪟 Possible Responder NTLMv2 response for 🎩 Active Directory or Windows credentials capturing 🥷 - T1040"; flow:to_client, stateless; http.protocol; content:"HTTP/1.1"; http.server; content:"Microsoft-IIS/"; http.content_type; content:"text/html"; http.response_line; content:"HTTP/1.1 200 OK"; http.header.raw; content:"WWW-Authenticate: NTLM"; http.response_body; content:"|2f 70 69 63 74 75 72 65 73 2f 6c 6f 67 6f 2e 6a 70 67 27 20 61 6c 74 3d 27 4c 6f 61 64 69 6e 67 27 20 68 65 69 67 68 74 3d 27 31 27 20 77 69 64 74 68 3d 27 31 27 3e|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1040/; reference:url,https://attack.mitre.org/software/S0174; reference:url,https://github.com/SpiderLabs/Responder; metadata:created_at 2024_01_25, updated_at 2026_05_26, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1040, mitre_technique_name Network_Sniffing; sid:3301124; rev:20; classtype:credential-theft;)

References

urlhttps://attack.mitre.org/techniques/T1040/
urlhttps://attack.mitre.org/software/S0174
urlhttps://github.com/SpiderLabs/Responder

Metadata

created at2024_01_25
updated at2026_05_26
signature severityMajor
attack targetClient_Endpoint
affected productWindows_XP_Vista_7_8_10_11_Server_32_64_Bit
mitre tactic idTA0006
mitre tactic nameCredential_Access
mitre technique idT1040
mitre technique nameNetwork_Sniffing

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!