heroui logo

Windows LSA Secrets NoLMhash Registry

Splunk Security Content

View Source
Summary
This detection rule monitors modifications to the Local Security Authority (LSA) NoLMHash registry setting on Windows systems. When the registry value is set to 0, it indicates that the system is configured to store passwords using the weaker Lan Manager (LM) hash format. The rule utilizes Sysmon event data and alerts on any changes to the LSA NoLMHash value, which could signify attempts to reduce password security. If malicious, this exploitation of weaker hash formats can lead to unauthorized credential access and potential system breaches. This analytic emphasizes the importance of monitoring registry changes to maintain robust endpoint security.
Categories
  • Windows
  • Endpoint
Data Sources
  • Windows Registry
  • Script
ATT&CK Techniques
  • T1003.004
Created: 2025-01-21