id: lm-hash-storage-enabled

info:
  name: LM Hash Storage Enabled
  author: princechaddha
  severity: high
  description: Checks if LM hashes are stored, which is an insecure practice.
  impact: |
    Storing LM hashes can lead to easier password cracking due to the weak nature of the LM hashing algorithm.
  remediation: |
    Disable LM hash storage by setting the NoLMHash registry key to prevent storing weak LM hashes.
  tags: windows,hashing,security,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'NoLMHash'

    matchers:
      - type: word
        words:
          - "NoLmHash     : 0"
# digest: 4b0a00483046022100c1c6267c5c6ba4bdcd4a1ed653dac27a7e3003e25352290e55acbac75ca5c7790221009f572500b4ebd0199f9e38f655aac11ca239021f712198311bb2475c649b9dca:922c64590222798bb761d5b6d8e72950