Modify Authentication Process: Reversible Encryption
Created the Friday 10 February 2023. Updated 7 months, 3 weeks ago.
An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.
If the property is enabled and/or a user changes their password after it is enabled, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled. To decrypt the passwords, an adversary needs four components:
Encrypted password (G$RADIUSCHAP) from the Active Directory user-structure userParameters 16 byte randomly-generated value (G$RADIUSCHAPKEY) also from userParameters Global LSA secret (G$MSRADIUSCHAPKEY) Static key hardcoded in the Remote Access Subauthentication DLL (RASSFM.DLL) With this information, an adversary may be able to reproduce the encryption key and subsequently decrypt the encrypted password value.
An adversary may set this property at various scopes through Local Group Policy Editor, user properties, Fine-Grained Password Policy (FGPP), or via the ActiveDirectory PowerShell module. For example, an adversary may implement and apply a FGPP to users or groups if the Domain Functional Level is set to "Windows Server 2008" or higher. In PowerShell, an adversary may make associated changes to user settings using commands similar to Set-ADUser -AllowReversiblePasswordEncryption $true.
Credential Access Defense Evasion Persistence Active Directory authentication encryption properties AllowReversiblePasswordEncryption G$RADIUSCHAP G$RADIUSCHAPKEY G$MSRADIUSCHAPKEY Remote Access Subauthentication DLL (RASSFM.DLL) reproduce encryption key password decryption Local Group Policy Editor Fine-Grained Password Policy (FGPP)
The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.