Skip to content

Add DPI-based network rule for responder footprints detection #5751

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cogResearch wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add DPI-based network rule for responder footprints detection #5751

cogResearch wants to merge 1 commit into from

Conversation

@cogResearch
Copy link

@cogResearch cogResearch commented Nov 11, 2025
edited
Loading

Summary of the Pull Request

This Sigma rule detects network-level indicators of NTLM credential theft associated with the use of the Responder tool. The rule is based on deep packet inspection (DPI) and behavioral patterns outlined in the research article https://medium.com/@hx015/responder-tool-footprints-in-ntlm-credential-theft-6f25ec7984d3

Changelog

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Review Needed The PR requires review labels Nov 11, 2025
github-actions[bot]
github-actions bot reviewed Nov 11, 2025
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @cogResearch 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

@nasbench
Copy link
Member

nasbench commented Nov 12, 2025

Hey @cogResearch can you please provide details on how these types of logs can be collected ? We do not have support yet for this type of logs hence we would like to have a detailed explanation of how a user might start collecting this data or if any commercial tools support this.

@nasbench nasbench added Author Input Required changes the require information from original author of the rules Additional Data Needed labels Nov 12, 2025
@nasbench
Copy link
Member

nasbench commented Nov 26, 2025

ping @cogResearch

@cogResearch
Copy link
Author

cogResearch commented Nov 27, 2025

Hello @nasbench, sorry for not replying earlier and thank you for pointing this out. We are currently reviewing this internally and will follow up with a response that addresses the missing information for the users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

Additional Data Needed Author Input Required changes the require information from original author of the rules Review Needed The PR requires review Rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cogResearch @nasbench