Enable LM Hash Storage

calendar Dec 18, 2023 · attack.defense_evasion attack.t1112  ·
Share on: linkedin copy

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

Sigma rule (View on GitHub)

 1title: Enable LM Hash Storage
 2id: c420410f-c2d8-4010-856b-dffe21866437
 3related:
 4    - id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation
 5      type: similar
 6status: experimental
 7description: |
 8    Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
 9    By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.    
10references:
11    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
12    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
13    - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023/12/15
16tags:
17    - attack.defense_evasion
18    - attack.t1112
19logsource:
20    product: windows
21    category: registry_set
22detection:
23    selection:
24        TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\NoLMHash'
25        Details: 'DWORD (0x00000000)'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

Related rules

to-top