Enable LM Hash Storage - ProcCreation

calendar Oct 23, 2025 · attack.persistence attack.defense-evasion attack.t1112  ·
Share on: linkedin copy

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

Sigma rule (View on GitHub)

 1title: Enable LM Hash Storage - ProcCreation
 2id: 98dedfdd-8333-49d4-9f23-d7018cccae53
 3related:
 4    - id: c420410f-c2d8-4010-856b-dffe21866437 # Registry
 5      type: similar
 6status: test
 7description: |
 8    Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
 9    By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.    
10references:
11    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
12    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
13    - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023-12-15
16modified: 2023-12-22
17tags:
18    - attack.persistence
19    - attack.defense-evasion
20    - attack.t1112
21logsource:
22    product: windows
23    category: process_creation
24detection:
25    selection:
26        CommandLine|contains|all:
27            - '\System\CurrentControlSet\Control\Lsa'
28            - 'NoLMHash'
29            - ' 0'
30    condition: selection
31falsepositives:
32    - Unknown
33level: high

References

Related rules

to-top