DET0589: Detect Modification of Authentication Process via Reversible Encryption
DET0589 is a detection strategy for identifying changes tied to Active Directory reversible password encryption. This matters because enabling reversible e...
Analyst context for executives and security teams
DET0589 is a detection strategy for identifying changes tied to Active Directory reversible password encryption. This matters because enabling reversible encryption can weaken credential protection and support persistence or credential access in a Windows environment. For leaders, the key issue is not just whether a setting exists, but whether the organization can prove that risky authentication-property changes are monitored, reviewed, and justified by a real legacy requirement.
Executive priority
Prioritize this as an identity security and audit-evidence concern. Reversible password encryption should normally remain disabled, so exceptions should be rare, documented, and time-bound. Security leaders should ask whether Active Directory account and policy changes are monitored, whether legacy dependencies requiring this setting are known, and whether incident responders can quickly determine who changed the setting, when, and on which accounts.
Technical view
The ATT&CK object has no official detection text or platform of its own, but it detects T1556.005 Reversible Encryption, which is associated with Windows and the tactics of defense impairment, persistence, and credential access. SOC and detection teams should validate visibility into Active Directory authentication property changes, especially changes to the AllowReversiblePasswordEncryption property or equivalent account settings. Investigations should distinguish approved legacy-software exceptions from unexpected changes to privileged, service, or broadly used accounts.
Likely telemetry
- Active Directory account attribute change events
- Directory service audit logs showing who modified authentication-related properties
- Windows security logs from domain controllers where relevant auditing is enabled
- Identity administration records or change-management tickets for approved exceptions
- Privileged account management or IAM activity logs showing administrator actions
Detection direction
- Validate that domain controller and directory-service auditing captures changes to reversible password encryption-related account properties.
- Tune alerts around unexpected enablement, especially for privileged accounts, service accounts, or accounts without a documented business exception.
- Correlate attribute changes with administrator identity, source system, time window, and change ticket to reduce false positives from approved legacy application support.
- Review historical baselines because this setting may have been enabled long before current monitoring was deployed.
- Treat missing Active Directory audit coverage as a material blind spot; the supplied ATT&CK object provides no standalone detection logic.
Mitigation priorities
- Keep reversible password encryption disabled unless a documented legacy requirement exists.
- Maintain an exception register for any accounts requiring the setting, including owner, justification, review date, and compensating controls.
- Limit who can modify authentication-related account properties and periodically review privileged directory permissions.
- Ensure identity change monitoring is included in SOC use cases and incident response evidence collection.
- Retire or replace legacy dependencies where feasible to reduce the need for reversible password encryption.
Analyst notes and limits
This take is based on the detection strategy DET0589 and its relationship to ATT&CK technique T1556.005 Reversible Encryption. The practical value is in validating identity telemetry, exception governance, and response readiness around risky Active Directory authentication-property changes.
The detection strategy object does not include an official description, official detection logic, platforms, or tactics. Platform and tactic context comes only from the related technique T1556.005. Local Active Directory configuration, audit policy, legacy application requirements, and account inventory are required to determine real exposure and detection quality.
Detect Modification of Authentication Process via Reversible Encryption
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1556.005 | Reversible Encryption Sub-technique | This object detects Reversible Encryption. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 63ec4f62b591… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0589Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.