/
windows_lsa_secrets_nolmhash_registry.yml
76 lines (76 loc) · 3.21 KB
/
windows_lsa_secrets_nolmhash_registry.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
name: Windows LSA Secrets NoLMhash Registry
id: 48cc1605-538c-4223-8382-e36bee5b540d
version: 1
date: '2023-12-15'
author: Teoderick Contreras, Splunk
status: production
type: TTP
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
description: The following analytic identifies a modification in the Windows registry related to the Local Security Authority (LSA) in Windows.
This registry value is used to determine whether the system should store passwords in the weaker Lan Manager (LM) hash format.
Setting it to 0 disables this feature, meaning LM hashes will be stored.
Modifying these settings should be done carefully and with a clear understanding of the impact it might have on system security and functionality.
This command is often used in security configurations to enforce stronger password storage methods and prevent the storage of weaker LM hashes,
which are more susceptible to certain types of attacks.
This TTP detection can be a good indicator of any process or user that tries to modify the LSA security configuration.
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\NoLMHash"
Registry.registry_value_data = 0x00000000)
BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
| `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_lsa_secrets_nolmhash_registry_filter`'
how_to_implement: To successfully implement this search, you must be ingesting data
that records registry activity from your hosts to populate the endpoint data model
in the registry node. This is typically populated via endpoint detection-and-response
product, such as Carbon Black or endpoint data sources, such as Sysmon. The data
used for this search is typically generated via logs that report reads and writes
to the registry.
known_false_positives: Administrator may change this registry setting.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
tags:
analytic_story:
- CISA AA23-347A
asset_type: Endpoint
confidence: 80
impact: 80
message: Windows LSA Secrets NoLMhash Registry on $dest$ by $user$.
mitre_attack_id:
- T1003.004
observable:
- name: dest
type: Endpoint
role:
- Victim
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 64
required_fields:
- _time
- Registry.registry_path
- Registry.registry_key_name
- Registry.registry_value_name
- Registry.registry_key_name
- Registry.user
- Registry.dest
- Registry.action
- Registry.registry_value_data
- Registry.process_guid
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog