diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.raw-ntlm/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.raw-ntlm/.stdout
new file mode 100644
index 0000000000..054c38f738
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.raw-ntlm/.stdout
@@ -0,0 +1 @@
+\xebr\x96\x86\xfc\xaa\xcf\xad\xb14\x18\xfaIG`\xde
diff --git a/testing/btest/Traces/smb/raw_ntlm_in_smb.pcap b/testing/btest/Traces/smb/raw_ntlm_in_smb.pcap
new file mode 100644
index 0000000000..8a40175db4
Binary files /dev/null and b/testing/btest/Traces/smb/raw_ntlm_in_smb.pcap differ
diff --git a/testing/btest/scripts/base/protocols/smb/raw-ntlm.test b/testing/btest/scripts/base/protocols/smb/raw-ntlm.test
new file mode 100644
index 0000000000..6e09ef7ded
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/raw-ntlm.test
@@ -0,0 +1,14 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/raw_ntlm_in_smb.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/ntlm
+@load policy/protocols/smb
+
+# Just verify that the session key is grabbed correctly from NTLM 
+# carried raw over SMB.
+
+event ntlm_authenticate(c: connection, request: NTLM::Authenticate)
+	{
+	if ( request?$session_key )
+		print request$session_key;
+	}
\ No newline at end of file