
Summary
This detection rule focuses on monitoring changes to the 'NoLMHash' registry value on Windows systems. The 'NoLMHash' registry key, located at 'HKLM\System\CurrentControlSet\Control\Lsa\NoLMHash', controls whether Windows systems are allowed to store LAN Manager (LM) password hashes in Active Directory and local Security Accounts Manager (SAM) databases. Setting this value to '0' permits the storage of LM hashes, which is a security risk as LM hashes are considered weak compared to more secure hashing protocols. This rule will alert administrators when there is an attempt to set the 'NoLMHash' value to '0', indicating a potential security posture downgrade. Organizations should maintain this registry value at '1' to avoid the storage of historical and vulnerable hashes that could be exploited by attackers to gain unauthorized access to accounts.
Categories
- Endpoint
- Windows
- Identity Management
Data Sources
- Windows Registry
Created: 2023-12-15