T1556.005: Reversible Encryption
An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption
property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.
If the property is enabled and/or a user changes their password after it is enabled, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled. To decrypt the passwords, an adversary needs four components:
- Encrypted password (
G$RADIUSCHAP
) from the Active Directory user-structureuserParameters
- 16 byte randomly-generated value (
G$RADIUSCHAPKEY
) also fromuserParameters
- Global LSA secret (
G$MSRADIUSCHAPKEY
) - Static key hardcoded in the Remote Access Subauthentication DLL (
RASSFM.DLL
)
With this information, an adversary may be able to reproduce the encryption key and subsequently decrypt the encrypted password value.
An adversary may set this property at various scopes through Local Group Policy Editor, user properties, Fine-Grained Password Policy (FGPP), or via the ActiveDirectory PowerShell module. For example, an adversary may implement and apply a FGPP to users or groups if the Domain Functional Level is set to "Windows Server 2008" or higher. In PowerShell, an adversary may make associated changes to user settings using commands similar to Set-ADUser -AllowReversiblePasswordEncryption $true
.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
— Monitoring of process-start events where command line input contains '-AllowReversiblePasswordEncryption $true'. — Monitoring of events with ID 5136 on domain controllers related to modification of the group policy value (which should be set to 'Disabled' by default): Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption.
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
ID | DS0026 | Data source and component | Active Directory: Active Directory Object Modification | Description | Monitor property changes in Group Policy: |
---|
ID | DS0002 | Data source and component | User Account: User Account Metadata | Description | Monitor Fine-Grained Password Policies and regularly audit user accounts and group settings. |
---|
ID | DS0012 | Data source and component | Script: Script Execution | Description | Consider monitoring and/or blocking suspicious execution of Active Directory PowerShell modules, such as |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor command-line usage for |
---|
Mitigation
ID | M1026 | Name | Privileged Account Management | Description | Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. |
---|
ID | M1027 | Name | Password Policies | Description | Ensure that |
---|