Enable LM Hash Storage
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
Sigma rule (View on GitHub)
1title: Enable LM Hash Storage
2id: c420410f-c2d8-4010-856b-dffe21866437
3related:
4 - id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation
5 type: similar
6status: experimental
7description: |
8 Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
9 By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
10references:
11 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
12 - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
13 - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023-12-15
16tags:
17 - attack.defense-evasion
18 - attack.t1112
19logsource:
20 product: windows
21 category: registry_set
22detection:
23 selection:
24 TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\NoLMHash'
25 Details: 'DWORD (0x00000000)'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry