title: Reversible Encryption (T1556.005)
id: df00tech-t1556-005
status: experimental
description: "Adversaries may enable the AllowReversiblePasswordEncryption property on Active Directory user accounts to gain access to plaintext credentials. When enabled, Active Directory stores user passwords in a reversibly encrypted form (G$RADIUSCHAP in userParameters) rather than as one-way hashes. An adversary with SYSTEM access can decrypt these passwords using four components from AD user structures and LSA secrets. Adversaries can set this via PowerShell (Set-ADUser -AllowReversiblePasswordEncryption $true), Local Group Policy, or Fine-Grained Password Policy (FGPP) if Domain Functional Level is Windows Server 2008+."
references:
  - https://attack.mitre.org/techniques/T1556/005/
  - https://df00tech.com/detections/T1556.005
author: df00tech
date: 2026/04/13
tags:
  - attack.t1556.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate legacy application requirements — some old RADIUS/802.1x implementations require reversible encryption for MS-CHAP authentication; these should be documented
  - Help desk or IT admin enabling reversible encryption per application support request — verify against approved change tickets
  - Automated provisioning scripts that set reversible encryption for specific service accounts used with RADIUS
  - Domain migrations or password synchronization tools that temporarily enable reversible encryption
level: high