- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
Cortex XDR Prevent Did Not Detect ncat
- LIVEcommunity
- Collaboration
- Discussions
- Cortex XDR Discussions
- Cortex XDR Prevent Did Not Detect ncat
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Cortex XDR Prevent Did Not Detect ncat
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-22-2020 07:35 PM
Hello I am new to Cortex XDR. I tried ncat on a PC with Cortex XDR Prevent (with Windows Defender) and it did not detect or stop the connection from Kali a PC. Windows Defender showed a warning and once I allowed it I was able to connect on ncat from Kali. Is Cortex XDR Prevent supposed to stop ncat or at least give me an email alert about the connection? Anybody else tried this and with the same result? I will try this with Symantec and will see if Symantec stops the ncat connection.
Thank you
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-13-2020 11:27 AM
Consider two things:
1. Windows Defender should be disabled on PC that runs Cortex XDR. If this does not occur automatically, disable it manually as it could intervene with Cortex XDR.
2. In case Cortex XDR does not indeed prevent it by default, you can always create a BIOC rule to detect NCAT and then set it as prevention rule inside the Restrictions Profile -> Custom Prevention Rules.
Best,
David
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-15-2020 07:37 AM
@DKasabji, I am seeing some devices where Windows Defender Antivirus still have the service running. I disable it via GPO and surprised to see it running on my system. With the new tamper protections I have yet to figure out how to disable the service so it is like it is "off" but still running the app behind the scenes. We are not Intune subscribers so there does not appear to be a way to turn it off if Cortex fails to do so.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-15-2020 07:42 AM
@tech_noob, doesn't ncat have legtimate uses so in and of itself it is not evil? Do you have the grayware protection enabled? (Just thinking out loud...I am not experienced with Kali or ncat.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-15-2020 02:12 PM
@EddieRowe Aren't you able to disable Tamper protection on Windows? That way you can disable Defender via GPO.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-15-2020 02:28 PM
ncat is a legitmate software but it can be used maliciouisly by bad guys. Kali is a network penetration software that is used by white and black hat hackers. I ran ncat on my windows machine and I connected with ncat from my Kali machine. I used ncat (without e) by nmap because the actual netcat (with e) is blocked by windows defender and cortex. We upgraded to Cortex XDR pro and I should be able to create BIOC rules to give me alert when ncat is used in my network.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-15-2020 02:29 PM
I run windows defender along with cortex xdr. I have tamper protection on cortex xdr.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-15-2020 03:09 PM
@DKasabji, No it cannot be disabled any longer unless you have an Intune subscription per MS documentation (link below). Our GPO has had Windows Defender turned off for many years now going back to before we added Cortex XDR Prevent to our environment. (The prior solution did not disable automatically so we have always used the GPO setting.) The GPO setting is active and Defender has never been observed doing anything on our systems to my knowledge. But for some reason some systems, all running Win10 v1903, some systems have the Windows Defender Antivirus Service running and others do not. I am going to guess that this was an issue before Cortex XDR Prevent and it was just not noticed. We have an application misbehaving and the vendor claims Windows Defender is the cause so as part of my info gathering I noticed the service running on the system.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-10-2020 06:08 PM
I created IOC using ncat.exe and I get an alert from XDR when I tried to use ncat. I will decide later if I should to ahead and block it.
I also created IOC tor nmap.exe and tor.exe.
- Correlation rules create incident in Cortex XDR Discussions
- Question from "Dev to Prod" Webinar - Gitlab branches deletion in Cortex XSOAR Discussions
- Expired Certificate in Cortex XDR documentation in Cortex XDR Discussions
- RQL query for resources outside the authorized regions in Prisma Cloud Discussions
- XDR 3.2 Broker VM Kernel version in Cortex XDR Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
