Browse All Articles > Bad USB - time to fight back!
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks without using non-microsoft tools or even security software that we would have to pay for.
Let me show the attack types that can be easily defeated:
1 your computer is found unattended and someone connects his USB drive (stick or hard drive or smartphone) to collect some of your data
2 your computer is found unattended and someone tries to run a script to infect your computer. Knowing, that we are prepared for item-1-attacks, he comes with a USB rubber ducky style device, that is a special USB memory stick that camouflages as keyboard to circumvent countermeasures against USB sticks. That way, it can act as a keyboard and type in thousands of code lines per minute…malicious code.The rubber ducky attack is very dangerous since your computer can be infected in seconds even with current anti-virus software.
The concept:
The usb device, as any other device, needs to be installed in order to work. This takes a few seconds and is long enough to launch a counter-attack and uninstall that devices again before the attacker can use them. Starting with windows 8, the event log will record usb device installations so that we can use these events to trigger the counter attack, namely a scheduled task. That task simply uses devcon.exe, a command line tool by Microsoft to uninstall these newly connected devices within less than a second.
You can deploy these tasks and scripts using group policy preferences, so that they are active on whole networks.
The way:
1 First, obtain devcon.exe - make sure to realize that there are two versions, one for 32 bit and one for 64 bit windows. Use version 6.1.7600.16385 and deploy it to c:\windows, so that it lies within the path.
2 Then, create a whitelist of devices that you actually use and would like to exclude from becoming uninstalled, using this code, for example inside your domain startup script (please note: starting with win8, domain startup scripts are NOT regularly processed when fast startup is in use, so you might have to look for another way to ensure that script runs)
Taskname: Keyboardguard
->executing account: system
->trigger: on event, Log: Microsoft-Windows-Kernel-PnP/Device Configuration, Source: Kernel-PnP, Event ID:410
->Action: start c:\windows\keybguard.bat
Keybguard.bat is a batch file that you need to deploy to the windows directory, too. Code is
Now, let me add two task scripts that will uninstall unknown MTP Devices (Phones) and USB drives.
Again, we deploy two scheduled task that execute scripts
Taskname: Kill_Phones
->executing account: system
->trigger: on event, Log: Microsoft-Windows-WPD-MTPClassDriver/Operational | Source: WPD-MTPClassDriver | EventID:1000
->Action: start c:\windows\kill_phones.bat with code
Edit: This has one drawback: Apple Iphones are special. They will not charge via USB unless a data connection is detected. So my task won't let them charge. If you plan to let Iphones charge, don't use this task but use these 2 GPOs instead:
WPD Devices: Deny read access
WPD Devices: Deny write access
Taskname: Kill_USBDrives
->executing account: system
->trigger: on event, Log: Microsoft-Windows-Kernel-PnP/Device, Source: Kernel-PnP, EventID: 410
->Action: start c:\windows\kill_USBDrives.bat with code
That’s all. Feel free to use and modify these scripts. You might still want to implement logging and alarming (mails/popups). Keep in mind that setting up these protective measures will always have a downside: whenever new keyboards/cordless presenters/USB drives or phones are introduced, you will have to whitelist them from now on.
Let me show the attack types that can be easily defeated:
1 your computer is found unattended and someone connects his USB drive (stick or hard drive or smartphone) to collect some of your data
2 your computer is found unattended and someone tries to run a script to infect your computer. Knowing, that we are prepared for item-1-attacks, he comes with a USB rubber ducky style device, that is a special USB memory stick that camouflages as keyboard to circumvent countermeasures against USB sticks. That way, it can act as a keyboard and type in thousands of code lines per minute…malicious code.The rubber ducky attack is very dangerous since your computer can be infected in seconds even with current anti-virus software.
The concept:
The usb device, as any other device, needs to be installed in order to work. This takes a few seconds and is long enough to launch a counter-attack and uninstall that devices again before the attacker can use them. Starting with windows 8, the event log will record usb device installations so that we can use these events to trigger the counter attack, namely a scheduled task. That task simply uses devcon.exe, a command line tool by Microsoft to uninstall these newly connected devices within less than a second.
You can deploy these tasks and scripts using group policy preferences, so that they are active on whole networks.
The way:
1 First, obtain devcon.exe - make sure to realize that there are two versions, one for 32 bit and one for 64 bit windows. Use version 6.1.7600.16385 and deploy it to c:\windows, so that it lies within the path.
2 Then, create a whitelist of devices that you actually use and would like to exclude from becoming uninstalled, using this code, for example inside your domain startup script (please note: starting with win8, domain startup scripts are NOT regularly processed when fast startup is in use, so you might have to look for another way to ensure that script runs)
devcon findall =keyboard>%temp%\whitekey.txt
del %windir%\admin\whitekey.txt
for /f %%a in ('findstr /v "matching" %temp%\whitekey.txt') do echo %%a>>%windir%\admin\whitekey.txtTaskname: Keyboardguard
->executing account: system
->trigger: on event, Log: Microsoft-Windows-Kernel-P
->Action: start c:\windows\keybguard.bat
Keybguard.bat is a batch file that you need to deploy to the windows directory, too. Code is
if not exist %windir%\admin\whitekey.txt goto end
devcon findall =keyboard >%temp%\keyb.txt
del %temp%\keyb2.txt
for /f %%a in ('findstr /v "matching" %temp%\keyb.txt') do echo %%a>>%temp%\keyb2.txt
for /f "tokens=1,2,3 delims=\" %%a in (%temp%\keyb2.txt) do findstr "%%a\%%b" %windir%\admin\whitekey.txt || devcon.exe remove "@%%a\%%b\%%c"
:endNow, let me add two task scripts that will uninstall unknown MTP Devices (Phones) and USB drives.
Again, we deploy two scheduled task that execute scripts
Taskname: Kill_Phones
->executing account: system
->trigger: on event, Log: Microsoft-Windows-WPD-MTPC
->Action: start c:\windows\kill_phones.bat
for /f "tokens=1 delims=:, " %%a in ('devcon listclass wpd') do devcon.exe remove "@%%a"Edit: This has one drawback: Apple Iphones are special. They will not charge via USB unless a data connection is detected. So my task won't let them charge. If you plan to let Iphones charge, don't use this task but use these 2 GPOs instead:
WPD Devices: Deny read access
WPD Devices: Deny write access
Taskname: Kill_USBDrives
->executing account: system
->trigger: on event, Log: Microsoft-Windows-Kernel-P
->Action: start c:\windows\kill_USBDrives.
xcopy \\server\share\allowlist.txt c:\windows\ /y
devcon.exe findall * |findstr "USB.Mass" >%temp%\usb.txt
del %temp%\usb2.txt
for /f %%a in (%temp%\usb.txt) do echo %%a>>%temp%\usb2.txt
for /f "tokens=1,2,3 delims=\" %%a in (%temp%\usb2.txt) do findstr "%%a\%%b" c:\windows\allowlist.txt || devcon.exe remove "@%%a\%%b\%%c"USBSTOR\DiskSanDisk_Cruzer_Orbit____1.26That’s all. Feel free to use and modify these scripts. You might still want to implement logging and alarming (mails/popups). Keep in mind that setting up these protective measures will always have a downside: whenever new keyboards/cordless presenters/USB drives or phones are introduced, you will have to whitelist them from now on.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (5)
Author
Commented:I guess at the moment I am pretty fed up with frustration about questions. I have a feeling that it gets worse and worse for us experts. I don't know about the SQL sections, but in the typical system administrator sections (and OS security), I am tempted to say that nowadays 2 out of three questions are really hard to work with for one or the other reason.
Ok, I will try not to let it frustrate me too much.
Commented:
I hadn't heard of USB rubber-ducky devices before. Thanks for the info!
Commented:
I had honestly never thought of anything like this so thanks for the heads up. Could you do the same thing but only activate if an .exe or .com was run from the USB. This would allow legitimate use of the USB but still protect the PC. We do it already with GPO to deny running *.exe etc from particular drive letters but your way sounds good too,
Cheers
Author
Commented:When an .exe is run, it's already too late. So until the removal action would have started (triggered by some mechanism, doesn't matter), the exe code is already inside the RAM of your computer and it will not help to uninstall the device, then.
What we could do, is trigger certain actions when the device is plugged in, like for example search the whole device for *.exe or *.com and if found, uninstall the device. But that might take a few seconds and it could be that this process is too slow, so that the exe is already started manually while the search is still on it.
Author
Commented:I just "strolled" through our GPOs and came across a setting that I almost forgot: starting with win7, we can deny not only read/write but also execute access (separately) on removable devices by GPO! See https://technet.microsoft.com/de-de/library/hh125922%28v=ws.10%29.aspx?