Defending against weaponized hardware: Microsoft Defender ATP & Microsoft Intune to the rescue!
Physical security is an often-overlooked component of data and system security in the technology world. While frequently forgotten, it is no less critical than timely patches, appropriate identity protection, and application security. You can have the most hardened servers and network but that doesn’t make the slightest difference if someone can gain direct access to a keyboard and mouse.
An often-used popular hardware attack is the USB RubberDucky, a keystroke injection tool disguised as a generic flash drive. Computers recognize it as a regular keyboard and automatically accept its pre-programmed keystroke payloads. The lesser known Cactus WHID takes this to the next level by adding a wireless access point, to allow for remote control of the hardware and keystrokes.
Bad actors will modify regular USB devices to hide their hardware in plain sight, making it hard to detect visually.
How can I defend against this weaponized hardware? Does Windows Defender ATP detect RubberDucky’s? And what role can Microsoft Intune play in securing the endpoint?
Quack, quack, let’s go duckhunting :-)
Physical security is important
About a year ago, in April 2018, the Dutch military intelligence agency (MIVD) stopped an attack by four Russian secret agents that physically travelled to The Hague, Netherlands to hack the OPCW, the international organization for the prohibition of chemical weapons.
The Russians had all sorts of equipment with them, ranging from rogue WIFI access points to USB hardware injection devices. MIVD found the operatives in the parking lot of the OPCW and seized their equipment, then expelling them from the country by putting them on a flight back to Russia the same evening.
It underlines the importance of physical security. If nation states target it, you can be certain that other bad actors will use it as a potential attack vector as well. And while many companies have some investments in physical security (parking gates, door access, etc.) they typically do not go as far as locking down USB access, safeguard peripherals etc.
Hardware Injection Devices
One of the bigger types of physical attacks are hardware injection devices that do automated key injection attacks. These attacks, as the name suggests, group all attacks where pre-programmed keystrokes are injected into the system. This injection can be done in different ways, for example by USB devices pretending to be a keyboard.
The intrinsic problem with these attacks is that they exploit the very basic trust between the computer and the user input peripherals (mouse, keyboard). In other words: a computer won’t be able to distinguish between a good user or a bad user.
One of the most known rogue HID devices is called RubberDucky. You can create one yourself by converting a regular USB stick, or buy one on the internet. There are lots of blogs, GitHub repositories and other places on the internet that learn you how to prepare the device with a ‘payload’.
Hiding in plain sight
These HID devices however might be easy to spot if they are visually present in the USB port of the computer. The user will likely then call in that unknown device to the IT or security department, and the hack gets stopped in its tracks. As red teams aim to persist, so that they can access the network over time when needed, they are coming up with ways to “cover up” their USB devices. That’s why more advanced red teams and/or bad actors will hide their rogue equipment in objects that the user regularly uses with their device, for instance in USB mice, USB keyboards, or things like USB lamps, etc.
Hiding your rogue HID device in another object takes some effort. You would likely want to prepare ahead of time because it will involve soldering, testing, etc. Therefore, you would need to know the brand and model they are using, so that it blends in, therefore requiring you to do some reconnaissance and/or OSINT ahead of time. And you would also need the physical “space” to put your device into the other object; something that would obviously not work if the company for instance uses the Surface Arc Mouse.
Don’t underestimate supply chain attacks
One other thing to consider in this context is the potential of bad actors attacking the supply chain. And although on first thought that might not be the easiest thing to do, there is a lot of potential to it when you consider how many enterprises use outside providers to ‘prepare’ their endpoints with for instance OS images and/or let those firms add custom materials to the package so that it shows up to the end user with all the corporate requirements fulfilled.
What if those outside providers get targeted? And your mice get switched out for rogue ones? How would you see that? What measures does your outside provider have in place?
Weaponizing a mouse
To make this a real-world example, I wanted to weaponize a mouse myself. So, what would I need to get this done?
At least a hardware injection device; I choose the Cactus WHID because it has a wireless connection for remote control, is cheap, is small enough, and is pre-installed with ESPloit v2 which has a large collection of pre-fabricated payloads. I would need a USB hub tiny enough to fit into a small space together with the Cactus WHID; I choose a Nano USB hub. Last but not least, I would need a mouse with enough ‘free space’ to embed all the elements inside; the Microsoft Intellimouse is the perfect choice for that and is less suspected because of having the Microsoft logo on it.
This became my shopping list:
The high-level steps I would need to follow: open the mouse, cut the USB cable, solder the USB Nano hub to the hub ‘input port’, solder the mouse connector to ‘output port 1’, and then solder the Cactus WHID to ‘output port 2’. And lastly, put the mouse back together again.
Here are pictures from the actual process:
PRO TIP: make sure you have a good soldering iron. One that has a precision tip and a thermostat. That saves you from destroying your Nano hub during the soldering process. You will need the right tin, and a magnifying glass. I would also suggest removing the USB-A connection from the Cactus WHID board to save space.
Let’s try out our mouse-on-steroids in the real world
Our weaponized mouse is now ready for use. One you plug the mouse into an endpoint, the USB hub gets power and the Cactus WHID starts booting up. As the board is Arduino-based and the firmware and operating code is relatively light, the access point will be up within seconds.
The user won’t notice because he or she will just experience normal behavior; the mouse input works as expected (albeit now through the USB hub behind the scenes).
By default, ESploit v2 is pre-configured to power on a WIFI network with SSID ‘Exploit’ and passphrase ‘DotAgency’ that is visible. You can choose to make it hidden, rename it and/or change other settings such as manually choosing a channel.
One of the neat things that ESploit v2 can do is to exfiltrate data. This provides you with an extra way to get data out of the target system, instead of needing to build a covert channel to the internet.
Detecting rogue HID devices
Every time a new external device is recognized by the system, Windows generates an entry in the Security eventlog with event ID 6416. You should collect these events and look at fields such as DeviceName and DeviceID to find rogue devices.
The Advanced Hunting feature of Windows Defender ATP and the powerful Kusto Query Language (KQL) make it very easy to hunt for these devices at scale.
Here’s a KQL query that you could use in Advanced Hunting in Windows Defender ATP to identify users, machines, and types of devices that are being used suspiciously:
Defending against these types of attacks
What options would you have to defend against these types of attacks? First, you could always consider to physically secure access to the computer ports. However, I would suggest using a combination of Windows Defender and Microsoft Intune to provide a more enterprise-ready solution here.
In the Intune portal you can go to Device configuration, then Profiles, then Create profile. Give the profile a name, description, choose Windows 10 or later as the platform type, and Endpoint protection as the profile type. Click Configure, then Windows Defender Exploit Guard, then Attack Surface Reduction. For Unsigned and untrusted processes that run from USB, choose Block.
Happy hunting ;-)
— Maarten Goet, MVP & RD