Identifies RDP clients attempting authentication using Network Level Authentication (NLA) with the NTLM challenge-response protocol. This occurs during the CredSSP negotiation phase before a remote desktop session is established and indicates an active credential authentication attempt against the RDP service

Identifies an HTTPS request targeting the .git/config file within a web-accessible repository directory. Access attempts to /.git/config indicate automated repository exposure scanning intended to retrieve remote origin URLs, repository structure, and potentially credential-bearing configuration data. This is a common reconnaissance technique used to identify misconfigured web servers exposing version control metadata.