DET0589 Detect Modification of Authentication Process via Reversible Encryption

Item	Value
ID	DET0589
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1556.005 (Reversible Encryption)

Analytics

Windows

AN1621

Detects enabling of reversible password encryption in Active Directory or Group Policy, suspicious PowerShell commands modifying AD user properties, and unusual account configuration changes correlated with policy modifications. Multi-event correlation links Group Policy edits, PowerShell command execution, and user account property changes to identify tampering with authentication encryption settings.

Log Sources

Data Component	Name	Channel
Active Directory Object Modification (DC0066)	WinEventLog:Security	EventCode=4739
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Command Execution (DC0064)	WinEventLog:PowerShell	EventCode=4103, 4104, 4105, 4106

Mutable Elements

Field	Description
MonitoredOUs	Scope of Organizational Units where reversible encryption property monitoring is enabled.
TimeWindow	Time window in which to correlate Group Policy modification and subsequent user property changes.
SuspiciousCmdletList	List of PowerShell cmdlets to monitor for account configuration changes.