T1556.005: Reversible Encryption
| View on MITRE ATT&CK | T1556.005 |
|---|---|
| Tactic(s) | Defense Evasion, Persistence, Credential Access |
Data from MITRE ATT&CK®:
An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
If the property is enabled and/or a user changes their password after it is enabled, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled. To decrypt the passwords, an adversary needs four components:
- Encrypted password (
G$RADIUSCHAP) from the Active Directory user-structureuserParameters - 16 byte randomly-generated value (
G$RADIUSCHAPKEY) also fromuserParameters - Global LSA secret (
G$MSRADIUSCHAPKEY) - Static key hardcoded in the Remote Access Subauthentication DLL (
RASSFM.DLL)
With this information, an adversary may be able to reproduce the encryption key and subsequently decrypt the encrypted password value.(Citation: how_pwd_rev_enc_1)(Citation: how_pwd_rev_enc_2)
An adversary may set this property at various scopes through Local Group Policy Editor, user properties, Fine-Grained Password Policy (FGPP), or via the ActiveDirectory PowerShell module. For example, an adversary may implement and apply a FGPP to users or groups if the Domain Functional Level is set to "Windows Server 2008" or higher.(Citation: dump_pwd_dcsync) In PowerShell, an adversary may make associated changes to user settings using commands similar to Set-ADUser -AllowReversiblePasswordEncryption $true.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
Script Execution (Script)
The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Active Directory Object Modification (Active Directory)
Changes made to an active directory object (ex: Windows EID 5163 or 5136)User Account Metadata (User Account)
Contextual data about an account, which may include a username, user ID, environmental data, etc.SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.