Detects enabling of reversible password encryption in Active Directory or Group Policy, suspicious PowerShell commands modifying AD user properties, and unusual account configuration changes correlated with policy modifications. Multi-event correlation links Group Policy edits, PowerShell command execution, and user account property changes to identify tampering with authentication encryption settings.
| Data Component | Name | Channel |
|---|---|---|
| Active Directory Object Modification (DC0066) | WinEventLog:Security | EventCode=4739 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Field | Description |
|---|---|
| MonitoredOUs | Scope of Organizational Units where reversible encryption property monitoring is enabled. |
| TimeWindow | Time window in which to correlate Group Policy modification and subsequent user property changes. |
| SuspiciousCmdletList | List of PowerShell cmdlets to monitor for account configuration changes. |