<

Bad USB - time to fight back!

Published on
15,613 Points
4,013 Views
16 Endorsements
Last Modified:
Approved
Community Pick
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks without using non-microsoft tools or even security software that we would have to pay for.

Let me show the attack types that can be easily defeated:

1 your computer is found unattended and someone connects his USB drive (stick or hard drive or smartphone) to collect some of your data
2 your computer is found unattended and someone tries to run a script to infect your computer. Knowing, that we are prepared for item-1-attacks, he comes with a USB rubber ducky style device, that is a special USB memory stick that camouflages as keyboard to circumvent countermeasures against USB sticks. That way, it can act as a keyboard and type in thousands of code lines per minute…malicious code.The rubber ducky attack  is very dangerous since your computer can be infected in seconds even with current anti-virus software.


The concept:
The usb device, as any other device, needs to be installed in order to work. This takes a few seconds and is long enough to launch a counter-attack and uninstall that devices again before the attacker can use them. Starting with windows 8, the event log will record usb device installations so that we can use these events to trigger the counter attack, namely a scheduled task. That task simply uses devcon.exe, a command line tool by Microsoft to uninstall these newly connected devices within less than a second.

You can deploy these tasks and scripts using group policy preferences, so that they are active on whole networks.

The way:
1 First, obtain devcon.exe - make sure to realize that there are two versions, one for 32 bit and one for 64 bit windows. Use version 6.1.7600.16385 and deploy it to c:\windows, so that it lies within the path.

2 Then, create a whitelist of devices that you actually use and would like to exclude from becoming uninstalled, using this code, for example inside your domain startup script (please note: starting with win8, domain startup scripts are NOT regularly processed when fast startup is in use, so you might have to look for another way to ensure that script runs)
devcon findall =keyboard>%temp%\whitekey.txt
del %windir%\admin\whitekey.txt
for /f %%a in ('findstr /v "matching" %temp%\whitekey.txt') do echo %%a>>%windir%\admin\whitekey.txt

Open in new window

3 Now we proceed to deploying the task (for instructions, see https://technet.microsoft.com/en-us/library/cc725745.aspx ):

Taskname: Keyboardguard

->executing account: system
->trigger:  on event, Log: Microsoft-Windows-Kernel-PnP/Device Configuration, Source: Kernel-PnP, Event ID:410
->Action: start c:\windows\keybguard.bat
Keybguard.bat is a batch file that you need to deploy to the windows directory, too.  Code is
if not exist %windir%\admin\whitekey.txt goto end
devcon findall =keyboard >%temp%\keyb.txt
del %temp%\keyb2.txt
for /f %%a in ('findstr /v "matching" %temp%\keyb.txt') do echo %%a>>%temp%\keyb2.txt
for /f "tokens=1,2,3 delims=\" %%a in (%temp%\keyb2.txt) do findstr "%%a\%%b" %windir%\admin\whitekey.txt || devcon.exe remove "@%%a\%%b\%%c"
:end

Open in new window

That’s it. Mission accomplished, no more rubber ducky attacks. Whenever a ducky device is connected, it gets uninstalled in less than a second, leaving it with no time to execute even one line of malicious code. Of course you can modify this a bit so that a central whitelist is used instead of a per-machine-whitelist. But: if your (huge) company has many many different keyboard types, this list gets long and might even have a negative effect on script performance, that’s why I suggest to use one whitelist per machine.
Now, let me add two task scripts that will uninstall unknown MTP Devices (Phones) and USB drives.
Again, we deploy two scheduled task that execute scripts

Taskname: Kill_Phones

->executing account: system
->trigger:  on event, Log: Microsoft-Windows-WPD-MTPClassDriver/Operational | Source: WPD-MTPClassDriver | EventID:1000
->Action: start c:\windows\kill_phones.bat with code
for /f "tokens=1 delims=:, " %%a in ('devcon listclass wpd') do devcon.exe remove "@%%a"

Open in new window

(please note that this uninstalls all phones and does not look for a whitelist – you could use a whitelist like in the previous section, of course. I would not use one since most phones can be charged without being installed and I don’t like seeing BYOD devices on my network)
Edit: This has one drawback: Apple Iphones are special. They will not charge via USB unless a data connection is detected. So my task won't let them charge. If you plan to let Iphones charge, don't use this task but use these 2 GPOs instead:
WPD Devices: Deny read access 
WPD Devices: Deny write access 

Taskname: Kill_USBDrives

->executing account: system
->trigger:  on event, Log: Microsoft-Windows-Kernel-PnP/Device, Source: Kernel-PnP, EventID: 410
->Action: start c:\windows\kill_USBDrives.bat with code
xcopy \\server\share\allowlist.txt c:\windows\ /y
devcon.exe findall * |findstr "USB.Mass" >%temp%\usb.txt
del %temp%\usb2.txt
for /f %%a in (%temp%\usb.txt) do echo %%a>>%temp%\usb2.txt
for /f "tokens=1,2,3 delims=\" %%a in (%temp%\usb2.txt) do findstr "%%a\%%b" c:\windows\allowlist.txt || devcon.exe remove "@%%a\%%b\%%c"

Open in new window

Please note that this is again using an allowlist (=whitelist) that is being picked up from a network share and allows central modification. It would contain lines with device IDs, that look like this:

USBSTOR\DiskSanDisk_Cruzer_Orbit____1.26

Open in new window

Note that this can be single devices or device classes (like in the above line), just as you like!

That’s all. Feel  free to use and modify these scripts. You might still want to implement logging and alarming (mails/popups). Keep in mind that setting up these protective measures will always have a downside: whenever new keyboards/cordless presenters/USB drives or phones are introduced, you will have to whitelist them from now on.
16
Author:McKnife
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free