Description
An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
If the property is enabled and/or a user changes their password after it is enabled, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled. To decrypt the passwords, an adversary needs four components:
1. Encrypted password (G$RADIUSCHAP) from the Active Directory user-structure userParameters
2. 16 byte randomly-generated value (G$RADIUSCHAPKEY) also from userParameters
3. Global LSA secret (G$MSRADIUSCHAPKEY)
4. Static key hardcoded in the Remote Access Subauthentication DLL (RASSFM.DLL)
With this information, an adversary may be able to reproduce the encryption key and subsequently decrypt the encrypted password value.(Citation: how_pwd_rev_enc_1)(Citation: how_pwd_rev_enc_2)
An adversary may set this property at various scopes through Local Group Policy Editor, user properties, Fine-Grained Password Policy (FGPP), or via the ActiveDirectory PowerShell module. For example, an adversary may implement and apply a FGPP to users or groups if the Domain Functional Level is set to "Windows Server 2008" or higher.(Citation: dump_pwd_dcsync) In PowerShell, an adversary may make associated changes to user settings using commands similar to Set-ADUser -AllowReversiblePasswordEncryption $true.
Platforms
Mitigations (2)
Privileged Account ManagementM1026
Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.(Citation: TechNet Credential Theft)(Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be aut
Password PoliciesM1027
Ensure that AllowReversiblePasswordEncryption property is set to disabled unless there are application requirements.(Citation: store_pwd_rev_enc)
References
- Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
- Microsoft. (2021, October 28). Store passwords using reversible encryption. Retrieved January 3, 2022.
- Teusink, N. (2009, August 25). Passwords stored using reversible encryption: how it works (part 1). Retrieved November 17, 2021.
- Teusink, N. (2009, August 26). Passwords stored using reversible encryption: how it works (part 2). Retrieved November 17, 2021.
Frequently Asked Questions
What is T1556.005 (Reversible Encryption)?
T1556.005 is a MITRE ATT&CK technique named 'Reversible Encryption'. It belongs to the Defense Impairment, Persistence, Credential Access tactic(s). An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whe...
How can T1556.005 be detected?
Detection of T1556.005 (Reversible Encryption) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1556.005?
There are 2 documented mitigations for T1556.005. Key mitigations include: Privileged Account Management, Password Policies.
Which threat groups use T1556.005?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.