🐾 - 🔔 SMBv1 - Suspicious session setup response for NTLMSSP_CHALLENGE 🪟 Possible Responder NTLMv1 response for 🎩 Active Directory or Windows credentials capturing 🥷 - T1040

SID: 3321492Rev: 51 views
History
Sourcepawpatrules
CreatedMay 26, 2026
UpdatedMay 26, 2026
Classificationcredential-theft
alert tcp any 445 -> any any (msg:"🐾 - 🔔 SMBv1 - Suspicious session setup response for NTLMSSP_CHALLENGE 🪟 Possible Responder NTLMv1 response for 🎩 Active Directory or Windows credentials capturing 🥷 - T1040"; flow:to_client, stateless; content:"|ff 53 4d 42|"; content:"|73|"; distance:0; content:"|16 00 00 c0|"; content:"|88|"; distance:0; content:"|01 c8|"; distance:0; content:"|00 00|"; distance:0; content:"|9a 00 9a 00 40 00 00 00|"; content:"|4e 54 4c 4d 53 53 50 00 02 00 00 00|"; content:"|15 82 89 e2|"; content:"|05 02 ce 0e 00 00 00 0f|"; fast_pattern; content:"|00 00 00|"; endswith; reference:url,https://attack.mitre.org/techniques/T1040/; reference:url,https://attack.mitre.org/software/S0174; reference:url,https://github.com/SpiderLabs/Responder; metadata:created_at 2026_05_26, updated_at 2026_05_26, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1040, mitre_technique_name Network_Sniffing; sid:3321492; rev:5; classtype:credential-theft;)

References

urlhttps://attack.mitre.org/techniques/T1040/
urlhttps://attack.mitre.org/software/S0174
urlhttps://github.com/SpiderLabs/Responder

Metadata

created at2026_05_26
updated at2026_05_26
signature severityMajor
attack targetClient_Endpoint
affected productWindows_XP_Vista_7_8_10_11_Server_32_64_Bit
mitre tactic idTA0006
mitre tactic nameCredential_Access
mitre technique idT1040
mitre technique nameNetwork_Sniffing

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!