T1556.005 Google Chronicle · YARA-L

Detect Reversible Encryption in Google Chronicle

Adversaries may enable the AllowReversiblePasswordEncryption property on Active Directory user accounts to gain access to plaintext credentials. When enabled, Active Directory stores user passwords in a reversibly encrypted form (G$RADIUSCHAP in userParameters) rather than as one-way hashes. An adversary with SYSTEM access can decrypt these passwords using four components from AD user structures and LSA secrets. Adversaries can set this via PowerShell (Set-ADUser -AllowReversiblePasswordEncryption $true), Local Group Policy, or Fine-Grained Password Policy (FGPP) if Domain Functional Level is Windows Server 2008+.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.005 Reversible Encryption
Canonical reference
https://attack.mitre.org/techniques/T1556/005/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1556_005_reversible_encryption_ad {
  meta:
    author = "Detection Engineering"
    description = "Detects enabling of AllowReversiblePasswordEncryption on AD accounts via Security Event 4738 or PowerShell AD cmdlets — T1556.005"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1556.005"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    (
      // Branch 1: Windows Security Event 4738 with reversible encryption UAC flag
      $e1.metadata.event_type = "USER_CHANGE"
      and $e1.metadata.product_event_type = "4738"
      and (
        re.regex($e1.target.resource.attribute.labels["UserAccountControl"], `(?i)ENCRYPTED_TEXT_PASSWORD_ALLOWED`)
        or re.regex($e1.metadata.description, `%%2054`)
        or re.regex($e1.metadata.description, `(?i)ENCRYPTED_TEXT_PASSWORD_ALLOWED`)
      )
    )
    or
    (
      // Branch 2: PowerShell process invoking AD reversible encryption cmdlets
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.principal.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
        or re.regex($e1.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
      )
      and re.regex($e1.target.process.command_line, `(?i)(AllowReversiblePasswordEncryption|ENCRYPTED_TEXT_PASSWORD_ALLOWED|Set-ADDefaultDomainPasswordPolicy|New-ADFineGrainedPasswordPolicy)`)
      and re.regex($e1.target.process.command_line, `(?i)(\$true|\btrue\b|\s1\s|enable)`)
    )

  condition:
    $e1
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting reversible password encryption configuration changes in Active Directory. Covers both Security Event 4738 with ENCRYPTED_TEXT_PASSWORD_ALLOWED UserAccountControl flag and PowerShell-based enablement via Set-ADUser, Set-ADDefaultDomainPasswordPolicy, or New-ADFineGrainedPasswordPolicy cmdlets.

Data Sources

Windows Event Log (via Chronicle Forwarder)Sysmon (via Chronicle Forwarder)Microsoft Active Directory logs

Required Tables

UDM Events (USER_CHANGE, PROCESS_LAUNCH)

False Positives & Tuning

  • RADIUS/NPS infrastructure changes where administrators intentionally enable reversible encryption to support legacy MS-CHAPv2 VPN or 802.1x wireless authentication
  • Domain administrator scripts that configure Fine-Grained Password Policies (FGPP) for specific OUs where reversible encryption is a documented business requirement
  • Privileged Access Workstation (PAW) configuration automation that evaluates and reports AllowReversiblePasswordEncryption states across all domain accounts
Download portable Sigma rule (.yml)

Other platforms for T1556.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enable Reversible Password Encryption on a Test Account

    Expected signal: Security Event ID 4738: User Account Changed for testuser_atomic, with UserAccountControl value showing ENCRYPTED_TEXT_PASSWORD_ALLOWED. PowerShell ScriptBlock Log Event ID 4104 with the Set-ADUser command. Sysmon Event ID 1 for powershell.exe with AllowReversiblePasswordEncryption in CommandLine.

  2. Test 2Audit Accounts with Reversible Encryption Enabled

    Expected signal: PowerShell ScriptBlock Log Event ID 4104 with the Get-ADUser filter query. Active Directory query events. Security Event ID 4662 for directory object access on enumerated user objects.

  3. Test 3Set Reversible Encryption via Fine-Grained Password Policy

    Expected signal: Security Event ID 4738/5136 (DS Object Modified): Fine-Grained Password Policy object creation with msDS-PasswordReversibleEncryptionEnabled attribute set. PowerShell ScriptBlock Log Event ID 4104 with New-ADFineGrainedPasswordPolicy.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1556.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.002Password Filter DLLT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1003.003NTDST1078.002Domain AccountsT1098.001Additional Cloud CredentialsT1059.001PowerShell

Same Tactic: Credential Access

Popular Detections