Prevent Credential Phishing with UPN (userPrincipalName)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Prevent Credential Phishing with UPN (userPrincipalName)

L1 Bithead

Hi World,

 

I'm have my first contact with this Prevent Credential Phishing feature. With the option "IP User", because UserID Mapping is already in place, i'm able to detect sAMAccountName Username submissions. But a lot of phishing sites are focused on the UPN, but the UPN username filed submission is not detected by the firewall.

sAMAccountName is our primary Username in the group mapping settings and alternate Username 1 is the UPN.

 

If possible how can we detect username fields submissions with UPN or sAMAccountName. Perhaps it is possible with Domain Credential Filter setting, but we do not have an RODC at the moment, but if it is the only option to cover both username types, the i'm also happy to know that.

 

I hope somebody can help, the PAN documentation does not cover this topic.

 

Kind regards

 

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @fhu_omi ,

Have you consider the option to create additional Group-Mapping profile with UPN as primary username.

And configure Credential Protection with "User Group Mapping" setting.

Hi @Astardzhiev ,

 

this does not work see kb https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFQCA0 is written: When multiple group-mappings are configured with same base dn or ldap server, each group-mapping must include non-overlapping groups i.e include group list must not have any common group.

 

But for test purpose, you need to considering, that not every web serivce is protected by the user credential protection. If the traffic is classified as one of the following services, then user credential prevention does not pop in:

https://live.paloaltonetworks.com/t5/customer-resources/trusted-app-ids-that-skip-credential-submiss...

 

i test on facebook login site, which is protected by the pan user cred prevention. i have a UPN estuser1@testdomain.com and SAM testuser1.

 

And PAN blocks as soon the string testuser1 is seen in a username field:

 

testuser1 -> detected

testuser1@ -> detected

testuser1@testdomain.com -> detected

testuser1@blabla.com -> detected

testuser12 -> not detected

testuser12@ -> not detected

 

i looks like, the domain is not checked for this Group Mapping credential submit method.

I need now to setup a RODC to check the behaviour with the Domain Credential Filter method.

 

Kind regards

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!