Techniques
Sample rules
Windows LSA Secrets NoLMhash Registry
- source: splunk
- technicques:
- T1003.004
Description
The following analytic identifies a modification in the Windows registry related to the Local Security Authority (LSA) in Windows. This registry value is used to determine whether the system should store passwords in the weaker Lan Manager (LM) hash format. Setting it to 0 disables this feature, meaning LM hashes will be stored. Modifying these settings should be done carefully and with a clear understanding of the impact it might have on system security and functionality. This command is often used in security configurations to enforce stronger password storage methods and prevent the storage of weaker LM hashes, which are more susceptible to certain types of attacks. This TTP detection can be a good indicator of any process or user that tries to modify the LSA security configuration.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\NoLMHash" Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
| `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_lsa_secrets_nolmhash_registry_filter`