Credential Phishing Protection troubleshooting

Reply
L3 Networker

Re: Credential Phishing Protection troubleshooting

Thanks, I do see a couple of bloomfilter entries appear

 

 num of bloomfilter requests sent                  : 13
        num of bloomfilter response received              : 12
        num of bloomfilter response failed to proc        : 0
        num of bloomfilter resize requests sent           : 0
        Last heard(seconds ago)                           : 4

So I guess we are on the right track ? 

 

I put "domain users" in the "Allowed RODC Password Replication Group"

But also my personal testing account in the case there might be a problem with nested groups.

 

Then I tried  two different URL categories for the password credential submission

One for my personal NAS device (computers-and-internet-info) at home and one for NetFlix (streaming-media) 

But if I enter any domain credentials, they are not detected.

Both websites simply say the credentials are not valid.

 

 

 

 

 

Highlighted
L4 Transporter

Re: Credential Phishing Protection troubleshooting

Okay, you're on the right track.

You also got a "Denied RODC Password Replication Group" which will exclude users - so maybe that is the reason, why there are so less entries (1 bloom filter equals 1 credential) - I guess you can trigger the RODC credential sync with windows tools - you need to google that.

 

Regarding the "any credentials" - if you use the credential agent, the credentials are only detected, if you're web session is related to the according user.

If bob is mapped to ip 1.1.1.1 and bob logs in with alice credentials, nothing will happen.

If bob is mapped to ip 1.1.1.1 and bob logs in with his own credentials (doesn't matter which user name) - the credentials will be detected.

 

edit: and of course you need ssl decryption - otherwise you are unable to see the credential transmissions

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!