UserID-Agent-credential-phishing Not Able to Extract Credentials

UserID-Agent-credential-phishing Not Able to Extract Credentials

29813
Created On 04/14/19 23:55 PM - Last Modified 04/15/19 15:07 PM


Symptom
On enabling domain credential filter using User-ID credential agent on the firewall, you may notice that the firewall is not able to receive credentials. Agent stats on the firewall show:
admin@firewall)> show user user-id-agent state rodc-1
rodc-1
Agent: rodc-1(vsys: vsys1) Host: rodc-1.domain.lab(10.1.1.254):5007
        Status                                            : conn:idle
        Version                                           : 0x5
        num of connection tried                           : 90
        num of connection succeeded                       : 15
        num of connection failed                          : 75
        num of status msgs rcvd                           : 172063
        num of request of status msgs sent                : 172066
        num of request of ip mapping msgs sent            : 859812
        num of request of new ip mapping msgs sent        : 0
        num of request of all ip mapping msgs sent        : 15
        num of user ip mapping msgs rcvd                  : 0
        num of ip msgs rcvd but failed to proc            : 0
        num of user ip mapping add entries rcvd           : 0
        num of user ip mapping del entries rcvd           : 0
        num of request of group msgs sent                 : 0
        num of group msgs rcvd                            : 0
        num of group msgs recvd buf fail to proc          : 0
        num of xml data msgs rcvd                         : 0
        num of xml data msgs rcvd but failed to proc      : 0
        num of sync domain messages sent                  : 0
        num of sync domain messages received              : 0
        num of sync digest messages sent                  : 0
        num of sync digest messages received              : 0
        num of sync group messages sent                   : 0
        num of sync group messages received               : 0
        num of sync users messages sent                   : 0
        num of sync users messages received               : 0
        num of bloomfilter requests sent                  : 247
        num of bloomfilter response received              : 247
        num of bloomfilter response failed to proc        : 0
        num of bloomfilter resize requests sent           : 0
        Last heard(seconds ago)                           : 1
        Messages State:
          Job ID                                          : 0
          Sent messages                                   : 1032154
          Rcvd messages                                   : 172325
          Rcvd rate(msgs/s)                               : 0
          Rcvd peak rate(msgs/s)                          : 0
          Lost messages                                   : 0
          Failed to send messages                         : 1
          Failed to enqueue messages                      : 0
          Queued sending msgs with priority 0             : 0
          Queued sending msgs with priority 1             : 0
          Queued rcvring msgs with priority 0             : 0
          Queued rcvring msgs with priority 1             : 0
        Credential Enforcement Status : Enabled and Pending 
        No credential state for agent.

User-idd.logs:
2019-03-11 15:20:50.242 +1300 Warning:  pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest.
2019-03-11 15:20:55.292 +1300 Warning:  pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest.
2019-03-11 15:21:00.896 +1300 Warning:  pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest.
2019-03-11 15:21:05.261 +1300 Warning:  pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest.
2019-03-11 15:21:10.382 +1300 Warning:  pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest.
2019-03-11 15:21:15.731 +1300 Warning:  pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest.
2019-03-11 15:21:20.562 +1300 Warning:  pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest.

User-ID Agent Credential Debug logs:
03/11/19 16:37:38:565 [Debug 4126]: expand groups took 0s
03/11/19 16:37:38:565 [Debug  633]: User list of 768 users unchanged.
03/11/19 16:37:38:565 [Error  716]: Unable to extract credentials.


 


Environment
Credential Detection with the Windows-based User-ID Agent.

Cause

 


Resolution

Step 1: Check if the User-ID credential agent is running as "local system account"

Launch services.msc and check the user account
User-added image

If it is not running as local account, then: right click > properties > stop service
User-added image

Navigate to the Log On tab and change to Local System account
User-added image


Step 2: Check if the service account for User-ID Agent is in the local system administrators in Read-Only Domain Controller (RODC)
By default, no user accounts are added to this group. Launch dsmgmt.exe to check local administrators
C:\Users\Administrator.domain.lab>dsmgmt.exe
dsmgmt.exe: local roles
local roles: show role administrators
        domain.lab\pan_svc      <<<<<<<
local roles:

If you do not see the service account, add the user to the local administrators
local roles: add domain.lab\user1 administrators
Successfully updated local role.
local roles: show role administrators
        domain.lab\pan_svc
        domain.lab\user1
local roles:

Restart the User-ID Agent and User-ID Agent Credentials service after the above change


Step 3: Check if user credentials are populated to the RODC cache
From the command line, run: repadmin /prp view <domain controller cn> reveal | Select-String <username>
>repadmin /prp view WIN-VONGBAM7FQF reveal
Reveal List (msDS-RevealedList):
RODC "CN=WIN-VONGBAM7FQF,OU=Domain Controllers,DC=domain.lab,DC=com":
CN=WIN-VONGBAM7FQF,OU=Domain Controllers,DC=domain.lab,DC=com
CN=krbtgt_21580,CN=Users,DC=domain.lab,DC=com
CN=user1,CN=Users,DC=domain.lab,DC=com
CN=user2,CN=Users,DC=domain.lab,DC=com

Optionally, you can use: | Select-String <username>  if the list is too long


Step 4: Check on the DC to see if the listed users above are part NOT part of "Denied RODC Password Replication Group"

Open the DC and launch Active Directory Users and Computers > Password Replication PolicyDenied RODC Password Replication Group
User-added image

User-added image


Step 5: Check if Credential Guard is enabled on the RODC
Navigate to Computer Configuration > Administrative Templates > System > Device Guard
Launch
gpedit.msc
User-added image

Click Device Guard
User-added image

On the right pane, click Turn On Virtualization Based Security
User-added image

User-added image

If it's enabled, turn off the credential guard configuration.


Step 6: Check for the below items to see if any are present
  • Third party endpoint protection systems like credential guards/anti-virus that prevent User-ID Agent Credential Agent from code execution the retrieve credentials.
  • Any group policy object configured on DC to restrict "debug program" privileges, preventing User-ID Agent Credential Agent .
  • Local Security Authority Server Service (LSASS), configured that is preventing User-ID Agent Credential Agent.

 


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PLaX&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language