NTLM Hash Leak Via Curl NTLM Authentication
Detects the use of curl with NTLM authentication and empty credentials (-u :), which can be abused to leak the currently logged-in user's NTLMv2 challenge-response to an attacker-controlled server, enabling offline cracking or relay attacks. When no credentials are provided, the Microsoft-shipped curl passes a NULL identity to Windows SSPI, which automatically falls back to the current user's logon session credentials stored in LSASS — without requiring a plaintext password. This behavior is exclusive to the curl binary shipped by Microsoft (available since Windows 10 / Windows Server 2019), which is built with SSPI support.
Sigma rule (View on GitHub)
1title: NTLM Hash Leak Via Curl NTLM Authentication
2id: 916eb839-895e-47f8-99ee-3008bf377a3e
3status: test
4description: |
5 Detects the use of curl with NTLM authentication and empty credentials (-u :), which can be abused to leak the currently logged-in user's NTLMv2 challenge-response to an
6 attacker-controlled server, enabling offline cracking or relay attacks.
7 When no credentials are provided, the Microsoft-shipped curl passes a NULL identity to Windows SSPI, which automatically falls back to the current user's logon session credentials
8 stored in LSASS — without requiring a plaintext password.
9 This behavior is exclusive to the curl binary shipped by Microsoft (available since Windows 10 / Windows Server 2019), which is built with SSPI support.
10references:
11 - https://github.com/curl/curl/blob/master/lib/vauth/ntlm_sspi.c#L128-L140
12 - https://learn.microsoft.com/en-us/windows/win32/secauthn/acquirecredentialshandle--ntlm
13 - https://curl.se/docs/manpage.html#--ntlm
14author: Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2026-06-04
16tags:
17 - attack.credential-access
18 - attack.t1187
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_img:
24 - Image|endswith: '\curl.exe'
25 - OriginalFileName: 'curl.exe'
26 selection_ntlm_flag:
27 CommandLine|contains: '--ntlm'
28 selection_empty_creds:
29 CommandLine|re: '(?i)\s(-u|--user)\s*:'
30 condition: all of selection_*
31falsepositives:
32 - Should be very rare as it's not widely known or used, but could occur in legitimate use cases where curl is used with NTLM authentication and empty credentials, such as in certain scripts or automation tasks.
33level: high
34regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_ntlm_hash_leak_attempt/info.yml
References
Related rules
- Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
- Potential PetitPotam Attack Via EFS RPC Calls
- Attempts of Kerberos Coercion Via DNS SPN Spoofing
- Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
- Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network