T1556.005 Reversible Encryption Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ReversibleEncryptionEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4738  // User Account Changed
| extend UserAccountControl = extractjson("$.UserAccountControl", AdditionalInfo)
| where AdditionalInfo has "ENCRYPTED_TEXT_PASSWORD_ALLOWED"
    or AdditionalInfo has "%%2054"  // UserAccountControl flag for reversible encryption
| project TimeGenerated, Computer, TargetUserName, TargetDomainName,
          SubjectUserName, SubjectDomainName, AdditionalInfo;
let PowerShellReversibleEncryption = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "AllowReversiblePasswordEncryption",
    "ENCRYPTED_TEXT_PASSWORD_ALLOWED",
    "Set-ADUser",
    "Set-ADDefaultDomainPasswordPolicy",
    "New-ADFineGrainedPasswordPolicy"
  )
| where ProcessCommandLine has_any ("$true", "true", "1", "enable")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
union ReversibleEncryptionEvents, PowerShellReversibleEncryption
| sort by TimeGenerated desc, Timestamp desc

high severity high confidence

Data Sources

User Account: User Account Modification Active Directory: Active Directory Object Modification Command: Command Execution Windows Security Event Log

Required Tables

SecurityEvent DeviceProcessEvents

False Positives

Legitimate legacy application requirements — some old RADIUS/802.1x implementations require reversible encryption for MS-CHAP authentication; these should be documented
Help desk or IT admin enabling reversible encryption per application support request — verify against approved change tickets
Automated provisioning scripts that set reversible encryption for specific service accounts used with RADIUS
Domain migrations or password synchronization tools that temporarily enable reversible encryption

Splunk

spl

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4738
| rex field=_raw "(?i)AllowReversiblePasswordEncryption\s*:\s*(?<ReversibleEnabled>\S+)"
| rex field=_raw "\%\%(?<UAC_Flag>2054|2056)"
| where isnotnull(ReversibleEnabled) OR isnotnull(UAC_Flag)
| eval ReversibleSet=if(isnotnull(UAC_Flag) AND UAC_Flag="2054", "ENABLED", "CHECK")
| table _time, host, Target_Account_Name, Target_Domain, Subject_Account_Name, Subject_Domain, ReversibleSet, UAC_Flag
| sort - _time
| append
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
   (Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
   (CommandLine="*AllowReversiblePasswordEncryption*" OR CommandLine="*ENCRYPTED_TEXT_PASSWORD_ALLOWED*")
   (CommandLine="*true*" OR CommandLine="*\$true*" OR CommandLine="*1*")
  | table _time, host, Image, CommandLine, User]

high severity high confidence

Data Sources

User Account: User Account Modification Windows Security Event Log Sysmon Event ID 4738 Sysmon Event ID 1

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Documented RADIUS/CHAP service accounts where reversible encryption is a known requirement
Domain administration tools that enumerate UAC flags as part of routine auditing
Identity governance tools scanning for accounts with insecure settings
PowerShell scripts auditing for accounts with reversible encryption already enabled (read-only operations)

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start"
   and process.name in~ ("powershell.exe", "pwsh.exe")
   and (
     process.args : "*AllowReversiblePasswordEncryption*"
     or process.args : "*ENCRYPTED_TEXT_PASSWORD_ALLOWED*"
     or process.command_line : "*Set-ADUser*"
     or process.command_line : "*Set-ADDefaultDomainPasswordPolicy*"
     or process.command_line : "*New-ADFineGrainedPasswordPolicy*"
   )
   and process.command_line : ("*$true*", "*true*", "* 1 *", "*enable*")]
OR
  [any where event.code == "4738"
   and winlog.event_data.UserAccountControl : "*ENCRYPTED_TEXT_PASSWORD_ALLOWED*"]

high severity high confidence

Data Sources

Windows Security Event Log Sysmon Elastic Agent (Windows)

Required Tables

logs-system.security* logs-windows.sysmon_operational* winlogbeat-*

False Positives

Legitimate RADIUS/IAS deployments that require reversible encryption for MS-CHAPv2 authentication protocols
Administrative password policy audits or compliance tooling that reads or evaluates AllowReversiblePasswordEncryption settings
Automated onboarding scripts that intentionally configure reversible encryption for legacy application compatibility

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  QIDNAME(qid) AS event_name,
  "Account Name" AS target_account,
  "Account Domain" AS target_domain,
  "Caller User Name" AS subject_account,
  UTF8(payload) AS raw_payload
FROM events
WHERE LOGSOURCETYPEID(logsourceid) = 12
  AND eventid = 4738
  AND (
    UTF8(payload) ILIKE '%ENCRYPTED_TEXT_PASSWORD_ALLOWED%'
    OR UTF8(payload) ILIKE '%%%2054%'
  )
  AND DATEFORMAT(starttime, 'YYYY-MM-dd') >= DATEFORMAT(NOW() - 86400000, 'YYYY-MM-dd')
UNION
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  QIDNAME(qid) AS event_name,
  'N/A' AS target_account,
  'N/A' AS target_domain,
  username AS subject_account,
  UTF8(payload) AS raw_payload
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (12, 13)
  AND eventid IN (1, 4688)
  AND (
    UTF8(payload) ILIKE '%AllowReversiblePasswordEncryption%'
    OR UTF8(payload) ILIKE '%Set-ADUser%'
    OR UTF8(payload) ILIKE '%Set-ADDefaultDomainPasswordPolicy%'
    OR UTF8(payload) ILIKE '%New-ADFineGrainedPasswordPolicy%'
  )
  AND (
    UTF8(payload) ILIKE '%$true%'
    OR UTF8(payload) ILIKE '%true%'
  )
  AND DATEFORMAT(starttime, 'YYYY-MM-dd') >= DATEFORMAT(NOW() - 86400000, 'YYYY-MM-dd')
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Security Event Log (DSM) Sysmon DSM Microsoft Windows Security Event Log

Required Tables

events

False Positives

Network Policy Server (NPS) or RADIUS infrastructure administrators legitimately enabling reversible encryption for MS-CHAPv2 dial-up or VPN authentication
Domain configuration scripts run during new server provisioning that evaluate or set password policy baselines
Scheduled compliance scans that invoke PowerShell AD cmdlets to audit current password policy settings

Sumo Logic CSE

sql

// Detection 1: Security Event 4738 with reversible encryption flag
(_sourceCategory=*windows* OR _sourceCategory=*winlogbeat* OR _sourceCategory=*wineventlog*)
| where EventID = "4738"
| parse regex "(?i)UserAccountControl[^:]*:\s*(?<UAC_Changes>[^\n]+)" nodrop
| parse regex "(?i)AllowReversiblePasswordEncryption\s*:\s*(?<ReversibleEncValue>\S+)" nodrop
| parse regex "%%(?<UAC_Flag>2054|2056)" nodrop
| where !isNull(UAC_Flag) OR !isNull(ReversibleEncValue)
| eval ReversibleEnabled = if(UAC_Flag = "2054", "ENABLED", "REVIEW")
| fields _messagetime, _sourceHost, TargetUserName, TargetDomainName, SubjectUserName, SubjectDomainName, ReversibleEnabled, UAC_Flag, UAC_Changes

// Detection 2: PowerShell cmdlets enabling reversible encryption (union via separate search)
// Run separately and merge results:
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventID = "1" OR EventID = "4688"
| where (Image matches "*powershell.exe" OR Image matches "*pwsh.exe"
         OR NewProcessName matches "*powershell.exe")
| where CommandLine matches "*AllowReversiblePasswordEncryption*"
      OR CommandLine matches "*ENCRYPTED_TEXT_PASSWORD_ALLOWED*"
      OR (CommandLine matches "*Set-ADUser*" AND CommandLine matches "*true*")
      OR (CommandLine matches "*Set-ADDefaultDomainPasswordPolicy*" AND CommandLine matches "*true*")
      OR (CommandLine matches "*New-ADFineGrainedPasswordPolicy*" AND CommandLine matches "*true*")
| fields _messagetime, _sourceHost, User, Image, CommandLine

high severity medium confidence

Data Sources

Windows Security Event Log Sysmon Operational Log Sumo Logic Installed Collector (Windows)

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*wineventlog*

False Positives

RADIUS or NPS server configurations that require reversible encryption to support MS-CHAPv2 authentication for wireless or VPN endpoints
IT automation or configuration management tools (Ansible, DSC) running PowerShell to apply or validate AD password policy templates
Security auditing tools that enumerate AD objects and their UserAccountControl flags as part of routine compliance checks

Google Chronicle / SecOps

yaral

rule t1556_005_reversible_encryption_ad {
  meta:
    author = "Detection Engineering"
    description = "Detects enabling of AllowReversiblePasswordEncryption on AD accounts via Security Event 4738 or PowerShell AD cmdlets — T1556.005"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1556.005"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    (
      // Branch 1: Windows Security Event 4738 with reversible encryption UAC flag
      $e1.metadata.event_type = "USER_CHANGE"
      and $e1.metadata.product_event_type = "4738"
      and (
        re.regex($e1.target.resource.attribute.labels["UserAccountControl"], `(?i)ENCRYPTED_TEXT_PASSWORD_ALLOWED`)
        or re.regex($e1.metadata.description, `%%2054`)
        or re.regex($e1.metadata.description, `(?i)ENCRYPTED_TEXT_PASSWORD_ALLOWED`)
      )
    )
    or
    (
      // Branch 2: PowerShell process invoking AD reversible encryption cmdlets
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.principal.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
        or re.regex($e1.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
      )
      and re.regex($e1.target.process.command_line, `(?i)(AllowReversiblePasswordEncryption|ENCRYPTED_TEXT_PASSWORD_ALLOWED|Set-ADDefaultDomainPasswordPolicy|New-ADFineGrainedPasswordPolicy)`)
      and re.regex($e1.target.process.command_line, `(?i)(\$true|\btrue\b|\s1\s|enable)`)
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Windows Event Log (via Chronicle Forwarder) Sysmon (via Chronicle Forwarder) Microsoft Active Directory logs

Required Tables

UDM Events (USER_CHANGE, PROCESS_LAUNCH)

False Positives

RADIUS/NPS infrastructure changes where administrators intentionally enable reversible encryption to support legacy MS-CHAPv2 VPN or 802.1x wireless authentication
Domain administrator scripts that configure Fine-Grained Password Policies (FGPP) for specific OUs where reversible encryption is a documented business requirement
Privileged Access Workstation (PAW) configuration automation that evaluates and reports AllowReversiblePasswordEncryption states across all domain accounts

CrowdStrike LogScale (CQL)

cql

// Detection 1: PowerShell enabling reversible encryption via process events
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|pwsh)\.exe$/
| CommandLine = /(?i)(AllowReversiblePasswordEncryption|ENCRYPTED_TEXT_PASSWORD_ALLOWED|Set-ADDefaultDomainPasswordPolicy|New-ADFineGrainedPasswordPolicy)/
| CommandLine = /(?i)(\$true|\btrue\b|enable)/
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ProcessStartTime, ParentProcessId, TargetProcessId])
| sort(field=@timestamp, order=desc)

// Detection 2: Script block logging for reversible encryption (run separately)
#event_simpleName = "ScriptControlScanTelemetry"
| ScriptContent = /(?i)(AllowReversiblePasswordEncryption|ENCRYPTED_TEXT_PASSWORD_ALLOWED)/
| ScriptContent = /(?i)(\$true|\btrue\b|Set-ADUser|Set-ADDefaultDomainPasswordPolicy)/
| select([@timestamp, ComputerName, UserName, ScriptContent, SHA256HashData])
| sort(field=@timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2) CrowdStrike Script Control Telemetry Falcon Event Stream

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=ScriptControlScanTelemetry

False Positives

Legitimate IT automation running PowerShell AD cmdlets as part of user provisioning pipelines where reversible encryption is required for a specific application integration
Security assessment tooling such as PingCastle or Purple Knight that enumerates AllowReversiblePasswordEncryption settings across the domain during AD health audits
Domain Group Policy or DSC (Desired State Configuration) management scripts that evaluate current password policy posture and log or report reversible encryption states

Reversible Encryption

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections