ATTACK AD [PTsecurity] HTTP-to-SMB NTLM Relay attack (SMBv1)

SID: 10005230Rev: 321 views
History
Sourceptrules/open
CreatedJune 24, 2025
UpdatedJune 24, 2025
Classificationattempted-admin
alert smb any any -> any any (msg:"ATTACK AD [PTsecurity] HTTP-to-SMB NTLM Relay attack (SMBv1)"; flow:established, to_server; content:"|FF|SMB|73|"; content:"NTLMSSP|00 03 00 00 00|"; distance:0; content:"|09 00|"; distance:0; within:600; content:"H|00|T|00|T|00|P|00 2F|"; distance:2; within:9; isdataat:200, relative; reference:url, byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10005230; rev:3;)

References

urlbyt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
urlrules.ptsecurity.com

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!