Enable LM Hash Storage - ProcCreation

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

Sigma rule (View on GitHub)

 1title: Enable LM Hash Storage - ProcCreation
 2id: 98dedfdd-8333-49d4-9f23-d7018cccae53
 3related:
 4    - id: c420410f-c2d8-4010-856b-dffe21866437 # Registry
 5      type: similar
 6status: test
 7description: |
 8    Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
 9    By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.    
10references:
11    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
12    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
13    - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023-12-15
16modified: 2023-12-22
17tags:
18    - attack.defense-evasion
19    - attack.t1112
20logsource:
21    product: windows
22    category: process_creation
23detection:
24    selection:
25        CommandLine|contains|all:
26            - '\System\CurrentControlSet\Control\Lsa'
27            - 'NoLMHash'
28            - ' 0'
29    condition: selection
30falsepositives:
31    - Unknown
32level: high

References

Related rules

to-top