Esc
Reversible Encryption - T1556.005
(ATT&CK® Technique)
Definition
An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1556005["Reversible Encryption"] --> |modifies| AuthenticationService["Authentication Service"]; class T1556005 OffensiveTechniqueNode;
class AuthenticationService ArtifactNode; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService";
click T1556005 href "/offensive-technique/attack/T1556.005/"; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1556005["Reversible Encryption"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1556005["Reversible Encryption"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessTermination["Process Termination"] -->
| terminates | AuthenticationService["Authentication Service"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1556005["Reversible Encryption"] ;
class ProcessTermination DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] -->
| suspends | AuthenticationService["Authentication Service"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1556005["Reversible Encryption"] ;
class ProcessSuspension DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] -->
| terminates | AuthenticationService["Authentication Service"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1556005["Reversible Encryption"] ;
class HostShutdown DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1556005["Reversible Encryption"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1556005["Reversible Encryption"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1556005["Reversible Encryption"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; SystemCallFiltering["System Call Filtering"] -->
| isolates | AuthenticationService["Authentication Service"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1556005["Reversible Encryption"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1556005["Reversible Encryption"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; HostReboot["Host Reboot"] -->
| terminates | AuthenticationService["Authentication Service"];
HostReboot["Host Reboot"] -.->
| may-evict | T1556005["Reversible Encryption"] ;
class HostReboot DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; WebSessionAccessMediation["Web Session Access Mediation"] -->
| isolates | AuthenticationService["Authentication Service"];
WebSessionAccessMediation["Web Session Access Mediation"] -.->
| may-isolate | T1556005["Reversible Encryption"] ;
class WebSessionAccessMediation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click WebSessionAccessMediation href "/technique/d3f:WebSessionAccessMediation";