Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP Microsoft SharePoint WebControls AdRotator NTLM relay attempt

Rule Explanation

This rule looks for creation of an ASPX SharePoint site abusing AdRotator via a CopyIntoItems SOAP request.

What To Look For

This rule alerts on an NTLM relay attempt in Microsoft SharePoint WebControls System.Web.UI.WebControls.AdRotator.

Known Usage

No public information

False Positives

No known false positives


Cisco Talos Intelligence Group

Rule Groups

MITRE::ATT&CK Framework::Enterprise::Privilege Escalation::Exploitation for Privilege Escalation

MITRE::ATT&CK Framework::Enterprise::Discovery::Account Discovery::Domain Account



Additional Links

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.