UserID-Agent-credential-phishing Not Able to Extract Credentials
44487
Created On 04/14/19 23:55 PM - Last Modified 07/17/23 14:25 PM
Symptom
On enabling domain credential filter using User-ID credential agent on the firewall, you may notice that the firewall is not able to receive credentials. Agent stats on the firewall show:
admin@firewall)> show user user-id-agent state rodc-1
rodc-1
Agent: rodc-1(vsys: vsys1) Host: rodc-1.domain.lab(10.1.1.254):5007
Status : conn:idle
Version : 0x5
num of connection tried : 90
num of connection succeeded : 15
num of connection failed : 75
num of status msgs rcvd : 172063
num of request of status msgs sent : 172066
num of request of ip mapping msgs sent : 859812
num of request of new ip mapping msgs sent : 0
num of request of all ip mapping msgs sent : 15
num of user ip mapping msgs rcvd : 0
num of ip msgs rcvd but failed to proc : 0
num of user ip mapping add entries rcvd : 0
num of user ip mapping del entries rcvd : 0
num of request of group msgs sent : 0
num of group msgs rcvd : 0
num of group msgs recvd buf fail to proc : 0
num of xml data msgs rcvd : 0
num of xml data msgs rcvd but failed to proc : 0
num of sync domain messages sent : 0
num of sync domain messages received : 0
num of sync digest messages sent : 0
num of sync digest messages received : 0
num of sync group messages sent : 0
num of sync group messages received : 0
num of sync users messages sent : 0
num of sync users messages received : 0
num of bloomfilter requests sent : 247
num of bloomfilter response received : 247
num of bloomfilter response failed to proc : 0
num of bloomfilter resize requests sent : 0
Last heard(seconds ago) : 1
Messages State:
Job ID : 0
Sent messages : 1032154
Rcvd messages : 172325
Rcvd rate(msgs/s) : 0
Rcvd peak rate(msgs/s) : 0
Lost messages : 0
Failed to send messages : 1
Failed to enqueue messages : 0
Queued sending msgs with priority 0 : 0
Queued sending msgs with priority 1 : 0
Queued rcvring msgs with priority 0 : 0
Queued rcvring msgs with priority 1 : 0
Credential Enforcement Status : Enabled and Pending
No credential state for agent.
User-idd.logs:
2019-03-11 15:20:50.242 +1300 Warning: pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest. 2019-03-11 15:20:55.292 +1300 Warning: pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest. 2019-03-11 15:21:00.896 +1300 Warning: pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest. 2019-03-11 15:21:05.261 +1300 Warning: pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest. 2019-03-11 15:21:10.382 +1300 Warning: pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest. 2019-03-11 15:21:15.731 +1300 Warning: pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest. 2019-03-11 15:21:20.562 +1300 Warning: pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest.
User-ID Agent Credential Debug logs:
03/11/19 16:37:38:565 [Debug 4126]: expand groups took 0s
03/11/19 16:37:38:565 [Debug 633]: User list of 768 users unchanged.
03/11/19 16:37:38:565 [Error 716]: Unable to extract credentials.
Environment
Credential Detection with the Windows-based User-ID Agent.
Credential Detection Agent 10.2.x and below.
Cause
Resolution
Step 1: Check if the User-ID credential agent is running as "local system account"
Launch services.msc and check the user accountIf it is not running as local account, then: right click > properties > stop service
Navigate to the Log On tab and change to Local System account
Step 2: Check if the service account for User-ID Agent is in the local system administrators in Read-Only Domain Controller (RODC)
By default, no user accounts are added to this group. Launch dsmgmt.exe to check local administrators
C:\Users\Administrator.domain.lab>dsmgmt.exe dsmgmt.exe: local roles local roles: show role administrators domain.lab\pan_svc <<<<<<< local roles:
If you do not see the service account, add the user to the local administrators
local roles: add domain.lab\user1 administrators
Successfully updated local role.
local roles: show role administrators
domain.lab\pan_svc
domain.lab\user1
local roles:
Restart the User-ID Agent and User-ID Agent Credentials service after the above change
Step 3: Check if user credentials are populated to the RODC cache
From the command line, run: repadmin /prp view <domain controller cn> reveal | Select-String <username>
>repadmin /prp view WIN-VONGBAM7FQF reveal Reveal List (msDS-RevealedList): RODC "CN=WIN-VONGBAM7FQF,OU=Domain Controllers,DC=domain.lab,DC=com": CN=WIN-VONGBAM7FQF,OU=Domain Controllers,DC=domain.lab,DC=com CN=krbtgt_21580,CN=Users,DC=domain.lab,DC=com CN=user1,CN=Users,DC=domain.lab,DC=com CN=user2,CN=Users,DC=domain.lab,DC=com
Optionally, you can use: | Select-String <username> if the list is too long
Step 4: Check on the DC to see if the listed users above are part NOT part of "Denied RODC Password Replication Group"
Open the DC and launch Active Directory Users and Computers > Password Replication Policy > Denied RODC Password Replication Group
Step 5: Check if Credential Guard is enabled on the RODC
Navigate to Computer Configuration > Administrative Templates > System > Device Guard
Launch gpedit.msc
Click Device Guard
On the right pane, click Turn On Virtualization Based Security
If it's enabled, turn off the credential guard configuration.
Step 6: Check for the below items to see if any are present
- Third party endpoint protection systems like credential guards/anti-virus that prevent User-ID Agent Credential Agent from code execution the retrieve credentials.
- Any group policy object configured on DC to restrict "debug program" privileges, preventing User-ID Agent Credential Agent .
- Local Security Authority Server Service (LSASS), configured that is preventing User-ID Agent Credential Agent.