1. Home
  2. Techniques
  3. Enterprise
  4. Modify Authentication Process
  5. Reversible Encryption

Modify Authentication Process: Reversible Encryption

ID Name
T1556.001 Domain Controller Authentication
T1556.002 Password Filter DLL
T1556.003 Pluggable Authentication Modules
T1556.004 Network Device Authentication
T1556.005 Reversible Encryption
T1556.006 Multi-Factor Authentication
T1556.007 Hybrid Identity
T1556.008 Network Provider DLL
T1556.009 Conditional Access Policies

An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.[1]

If the property is enabled and/or a user changes their password after it is enabled, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled. To decrypt the passwords, an adversary needs four components:

  1. Encrypted password (G$RADIUSCHAP) from the Active Directory user-structure userParameters
  2. 16 byte randomly-generated value (G$RADIUSCHAPKEY) also from userParameters
  3. Global LSA secret (G$MSRADIUSCHAPKEY)
  4. Static key hardcoded in the Remote Access Subauthentication DLL (RASSFM.DLL)

With this information, an adversary may be able to reproduce the encryption key and subsequently decrypt the encrypted password value.[2][3]

An adversary may set this property at various scopes through Local Group Policy Editor, user properties, Fine-Grained Password Policy (FGPP), or via the ActiveDirectory PowerShell module. For example, an adversary may implement and apply a FGPP to users or groups if the Domain Functional Level is set to "Windows Server 2008" or higher.[4] In PowerShell, an adversary may make associated changes to user settings using commands similar to Set-ADUser -AllowReversiblePasswordEncryption $true.

ID: T1556.005
Sub-technique of:  T1556
Platforms: Windows
Version: 1.1
Created: 13 January 2022
Last Modified: 26 August 2024
Version Permalink

Mitigations

ID Mitigation Description
M1027 Password Policies

Ensure that AllowReversiblePasswordEncryption property is set to disabled unless there are application requirements.[1]
M1026 Privileged Account Management

Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.[5][6] These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.[7]

Detection

ID Data Source Data Component Detects
DS0026 Active Directory Active Directory Object Modification

Monitor property changes in Group Policy: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption. By default, the property should be set to Disabled.

Analytic 1 - Enabling reversible encryption outside of standard procedures.

index=windows source="WinEventLog:Security" (EventCode=5136 OR EventCode=5137 OR EventCode=5138 OR EventCode=5139)| search AttributeLDAPDisplayName="msDS-User-Account-Control-Computed" OR AttributeLDAPDisplayName="userParameters"| rex field=_raw "ObjectDN=(?P[^,]+)"| eval Modification=if(match(AttributeValue, ".;PwdProperties=1."), "Enabled", "Disabled")| stats count by ObjectDN, Modification, EventCode, AttributeValue| where Modification="Enabled"

DS0017 Command Command Execution

Monitor command-line usage for -AllowReversiblePasswordEncryption $true or other actions that could be related to malicious tampering of user settings (i.e. Group Policy Modification).

Analytic 1 - Command-line actions indicating changes to encryption settings.

index=security (sourcetype="WinEventLog:Security" OR sourcetype="powershell")(EventCode=4688 OR EventCode=4104) commandline="set-aduser" commandline="allowreversiblepasswordencryption" | table _time, Process_ID, User, CommandLine
DS0012 Script Script Execution

Consider monitoring and/or blocking suspicious execution of Active Directory PowerShell modules, such as Set-ADUser and Set-ADAccountControl, that change account configurations.
DS0002 User Account User Account Metadata

Monitor Fine-Grained Password Policies and regularly audit user accounts and group settings.[4]

References

  1. Microsoft. (2021, October 28). Store passwords using reversible encryption. Retrieved January 3, 2022.
  2. Teusink, N. (2009, August 25). Passwords stored using reversible encryption: how it works (part 1). Retrieved November 17, 2021.
  3. Teusink, N. (2009, August 26). Passwords stored using reversible encryption: how it works (part 2). Retrieved November 17, 2021.
  4. Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
  1. Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.
  2. Microsoft. (2016, April 16). Implementing Least-Privilege Administrative Models. Retrieved June 3, 2016.
  3. Plett, C., Poggemeyer, L. (12, October 26). Securing Privileged Access Reference Material. Retrieved April 25, 2017.