https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/protection-against-hack5-tools-incl-usb-rubber-ducky/m-p/517336#M2985 <P>Hello dear community,&nbsp;</P> <P>&nbsp;</P> <P>Has anyone of you expierience with usb rubber ducky and cortex xdr?&nbsp;</P> <P>Our supplier couldn't answer this from the beginnen of the poc. (~1Y)</P> <P>Maybe the collection of a community like you get this question faster answered?&nbsp;</P> <P>I would like to know how cortex would stop it in a smart way.&nbsp;</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Mon, 10 Oct 2022 17:48:14 GMT Cyber1985 2022-10-10T17:48:14Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/protection-against-hack5-tools-incl-usb-rubber-ducky/m-p/517336#M2985 <P>Hello dear community,&nbsp;</P> <P>&nbsp;</P> <P>Has anyone of you expierience with usb rubber ducky and cortex xdr?&nbsp;</P> <P>Our supplier couldn't answer this from the beginnen of the poc. (~1Y)</P> <P>Maybe the collection of a community like you get this question faster answered?&nbsp;</P> <P>I would like to know how cortex would stop it in a smart way.&nbsp;</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Mon, 10 Oct 2022 17:48:14 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/protection-against-hack5-tools-incl-usb-rubber-ducky/m-p/517336#M2985 Cyber1985 2022-10-10T17:48:14Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/protection-against-hack5-tools-incl-usb-rubber-ducky/m-p/517468#M3002 <P><SPAN>Hi Cyber1985,</SPAN></P> <P><SPAN>By default, all external USB devices are allowed to connect to Cortex XDR endpoints. However, you can use Cortex XDR to manage and block devices connecting to an endpoint using </SPAN><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-endpoint-security/device-control" target="_blank"><SPAN>Device Control.</SPAN></A></P> <P><SPAN>After you apply Device Control rules in your environment, use the Endpoints -&gt; Device Control Violations page to monitor all instances where end users attempted to connect restricted USB-connected devices and Cortex XDR blocked them on the endpoint.</SPAN><SPAN><BR /></SPAN><SPAN>I would also advise you to go through </SPAN><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/514837#M2814%20Turn%20on%20screen%20reader%20support%20%20https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-cortex-xdr-device-control-blocks-mobile-hotspots-through/m-p/514837#M2814" target="_blank"><SPAN>this thread</SPAN></A><SPAN>, which discusses how to create custom device classes.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Last, Cortex XDR should also be able to detect Rubber Duckies and similar devices((depending on the payload being executed) through its BTP module.<BR /><BR />Hope this helps!</SPAN></P> <P><BR /><BR /><BR /></P> Tue, 11 Oct 2022 15:08:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/protection-against-hack5-tools-incl-usb-rubber-ducky/m-p/517468#M3002 mavraham 2022-10-11T15:08:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/protection-against-hack5-tools-incl-usb-rubber-ducky/m-p/517688#M3012 <P>From my expierience now on, it doesn't make sence to block HID Devices in cortex. Who does this? You would need to WL All the guids from All Keyboards in place.&nbsp;&nbsp;</P> <P>An it would be the same for RD, because this is also just a HID usb device.&nbsp;</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Wed, 12 Oct 2022 20:29:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/protection-against-hack5-tools-incl-usb-rubber-ducky/m-p/517688#M3012 Cyber1985 2022-10-12T20:29:56Z