AN1621: Analytic 1621
Detects enabling of reversible password encryption in Active Directory or Group Policy, suspicious PowerShell commands modifying AD user properties, and unusual account configuration changes correlated with policy modifications. Multi-event correlation links Group Policy edits, PowerShell command execution, and user account property changes to identify tampering with authentication encryption settings.
Analyst context for executives and security teams
This analytic matters because enabling reversible password encryption in Active Directory can materially weaken credential protection. For leaders, the practical issue is not only whether the setting exists, but whether the organization can prove that changes to authentication policy, Group Policy, and user account properties are authorized, logged, and investigated quickly.
Executive priority
Prioritize this as an identity control and audit-readiness issue for Windows Active Directory environments. Security leaders should ask who can modify Group Policy and AD user authentication-related properties, whether those changes require approval, and whether the SOC can correlate policy edits with account changes. The business value is reducing the chance that a weakened authentication configuration goes unnoticed and becomes an incident response or compliance problem.
Technical view
For SOC and detection teams, validate coverage for the analytic’s stated correlation pattern: Group Policy edits, suspicious PowerShell commands modifying AD user properties, and unusual account configuration changes tied to authentication encryption settings. Because no ATT&CK tactic, relationship context, or official detection logic is supplied, treat this as a detection engineering requirement rather than a complete rule. Confirm that Windows/AD logging is sufficient to reconstruct who changed what, from where, and through which administrative mechanism.
Likely telemetry
- Active Directory user account property change records
- Group Policy modification records
- PowerShell command execution logs where enabled
- Windows security/audit logs related to directory and policy changes
- Administrative change-management or approval records for correlation and triage context
Detection direction
- Validate correlation across Group Policy edits, PowerShell activity, and AD user property changes rather than alerting on any single event in isolation.
- Baseline legitimate identity administration and Group Policy maintenance to reduce false positives.
- Tune for high-risk changes involving reversible password encryption or related authentication encryption settings.
- Check for blind spots where PowerShell logging, directory auditing, or Group Policy change auditing is disabled or inconsistently retained.
- Ensure alerts preserve actor, target account or policy object, timestamp, host, and change details for incident response.
Mitigation priorities
- Restrict and regularly review permissions that allow modification of Active Directory user properties and Group Policy authentication settings.
- Require change approval for policy or account configuration changes affecting password encryption behavior.
- Keep reversible password encryption disabled unless a documented business requirement exists.
- Use periodic configuration reviews to identify unauthorized or legacy use of reversible password encryption.
- Ensure incident response playbooks include validation of recent AD and Group Policy changes when suspicious identity configuration changes are found.
Analyst notes and limits
This is a MITRE ATT&CK detection analytic object for Windows focused on identifying tampering with reversible password encryption settings through multi-event correlation. No relationship context, ATT&CK tactics, aliases, labels, or detailed detection logic were supplied.
The supplied object does not include official detection pseudocode, event identifiers, data source mappings, or related techniques. Local AD architecture, audit policy, log retention, and administrative workflows are required to turn this into an operational detection.
Analytic 1621
Detects enabling of reversible password encryption in Active Directory or Group Policy, suspicious PowerShell commands modifying AD user properties, and unusual account configuration changes correlated with policy modifications. Multi-event correlation links Group Policy edits, PowerShell command execution, and user account property changes to identify tampering with authentication encryption settings.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fb508a960e77… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1621Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.