10-10-2022 10:48 AM
Hello dear community,
Has anyone of you expierience with usb rubber ducky and cortex xdr?
Our supplier couldn't answer this from the beginnen of the poc. (~1Y)
Maybe the collection of a community like you get this question faster answered?
I would like to know how cortex would stop it in a smart way.
BR
Rob
10-11-2022 08:08 AM
Hi Cyber1985,
By default, all external USB devices are allowed to connect to Cortex XDR endpoints. However, you can use Cortex XDR to manage and block devices connecting to an endpoint using Device Control.
After you apply Device Control rules in your environment, use the Endpoints -> Device Control Violations page to monitor all instances where end users attempted to connect restricted USB-connected devices and Cortex XDR blocked them on the endpoint.
I would also advise you to go through this thread, which discusses how to create custom device classes.
Last, Cortex XDR should also be able to detect Rubber Duckies and similar devices((depending on the payload being executed) through its BTP module.
Hope this helps!
10-12-2022 01:27 PM - edited 10-12-2022 01:29 PM
From my expierience now on, it doesn't make sence to block HID Devices in cortex. Who does this? You would need to WL All the guids from All Keyboards in place.
An it would be the same for RD, because this is also just a HID usb device.
BR
Rob
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
