Protection against Hack5 tools incl. USB Rubber Ducky

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Protection against Hack5 tools incl. USB Rubber Ducky

L3 Networker

Hello dear community, 

 

Has anyone of you expierience with usb rubber ducky and cortex xdr? 

Our supplier couldn't answer this from the beginnen of the poc. (~1Y)

Maybe the collection of a community like you get this question faster answered? 

I would like to know how cortex would stop it in a smart way. 

 

BR

 

Rob

2 REPLIES 2

L3 Networker

Hi Cyber1985,

By default, all external USB devices are allowed to connect to Cortex XDR endpoints. However, you can use Cortex XDR to manage and block devices connecting to an endpoint using Device Control.

After you apply Device Control rules in your environment, use the Endpoints -> Device Control Violations page to monitor all instances where end users attempted to connect restricted USB-connected devices and Cortex XDR blocked them on the endpoint.
I would also advise you to go through this thread, which discusses how to create custom device classes. 

 

Last, Cortex XDR should also be able to detect Rubber Duckies and similar devices((depending on the payload being executed) through its BTP module.

Hope this helps!




From my expierience now on, it doesn't make sence to block HID Devices in cortex. Who does this? You would need to WL All the guids from All Keyboards in place.  

An it would be the same for RD, because this is also just a HID usb device. 

 

BR

 

Rob

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!