Enable LM Hash Storage

calendar Oct 23, 2025 · attack.persistence attack.defense-evasion attack.t1112  ·
Share on: linkedin copy

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

Sigma rule (View on GitHub)

 1title: Enable LM Hash Storage
 2id: c420410f-c2d8-4010-856b-dffe21866437
 3related:
 4    - id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation
 5      type: similar
 6status: test
 7description: |
 8    Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
 9    By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.    
10references:
11    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
12    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
13    - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023-12-15
16tags:
17    - attack.persistence
18    - attack.defense-evasion
19    - attack.t1112
20logsource:
21    product: windows
22    category: registry_set
23detection:
24    selection:
25        TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\NoLMHash'
26        Details: 'DWORD (0x00000000)'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top