Detect Reversible Encryption in Elastic Security
Adversaries may enable the AllowReversiblePasswordEncryption property on Active Directory user accounts to gain access to plaintext credentials. When enabled, Active Directory stores user passwords in a reversibly encrypted form (G$RADIUSCHAP in userParameters) rather than as one-way hashes. An adversary with SYSTEM access can decrypt these passwords using four components from AD user structures and LSA secrets. Adversaries can set this via PowerShell (Set-ADUser -AllowReversiblePasswordEncryption $true), Local Group Policy, or Fine-Grained Password Policy (FGPP) if Domain Functional Level is Windows Server 2008+.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.005 Reversible Encryption
- Canonical reference
- https://attack.mitre.org/techniques/T1556/005/
Elastic Detection Query
sequence by host.name with maxspan=5m
[process where event.type == "start"
and process.name in~ ("powershell.exe", "pwsh.exe")
and (
process.args : "*AllowReversiblePasswordEncryption*"
or process.args : "*ENCRYPTED_TEXT_PASSWORD_ALLOWED*"
or process.command_line : "*Set-ADUser*"
or process.command_line : "*Set-ADDefaultDomainPasswordPolicy*"
or process.command_line : "*New-ADFineGrainedPasswordPolicy*"
)
and process.command_line : ("*$true*", "*true*", "* 1 *", "*enable*")]
OR
[any where event.code == "4738"
and winlog.event_data.UserAccountControl : "*ENCRYPTED_TEXT_PASSWORD_ALLOWED*"]Detects enabling of reversible password encryption on Active Directory accounts via Windows Security Event 4738 (User Account Changed) with the ENCRYPTED_TEXT_PASSWORD_ALLOWED flag, or via PowerShell cmdlets used to modify AD user or password policy attributes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate RADIUS/IAS deployments that require reversible encryption for MS-CHAPv2 authentication protocols
- Administrative password policy audits or compliance tooling that reads or evaluates AllowReversiblePasswordEncryption settings
- Automated onboarding scripts that intentionally configure reversible encryption for legacy application compatibility
Other platforms for T1556.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enable Reversible Password Encryption on a Test Account
Expected signal: Security Event ID 4738: User Account Changed for testuser_atomic, with UserAccountControl value showing ENCRYPTED_TEXT_PASSWORD_ALLOWED. PowerShell ScriptBlock Log Event ID 4104 with the Set-ADUser command. Sysmon Event ID 1 for powershell.exe with AllowReversiblePasswordEncryption in CommandLine.
- Test 2Audit Accounts with Reversible Encryption Enabled
Expected signal: PowerShell ScriptBlock Log Event ID 4104 with the Get-ADUser filter query. Active Directory query events. Security Event ID 4662 for directory object access on enumerated user objects.
- Test 3Set Reversible Encryption via Fine-Grained Password Policy
Expected signal: Security Event ID 4738/5136 (DS Object Modified): Fine-Grained Password Policy object creation with msDS-PasswordReversibleEncryptionEnabled attribute set. PowerShell ScriptBlock Log Event ID 4104 with New-ADFineGrainedPasswordPolicy.
References (5)
- https://attack.mitre.org/techniques/T1556/005/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
- https://adsecurity.org/?p=2053
- http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.005/T1556.005.md
Unlock Pro Content
Get the full detection package for T1556.005 including response playbook, investigation guide, and atomic red team tests.