Ga naar content

Defending against weaponized hardware: Microsoft Defender ATP & Microsoft Intune to the rescue!

Physical security is an often-overlooked component of data and system security in the technology world. While frequently forgotten, it is no less critical than timely patches, appropriate identity protection, and application security. You can have the most hardened servers and network but that doesn’t make the slightest difference if someone can gain direct access to a keyboard and mouse.

An often-used popular hardware attack is the USB RubberDucky, a keystroke injection tool disguised as a generic flash drive. Computers recognize it as a regular keyboard and automatically accept its pre-programmed keystroke payloads. The lesser known Cactus WHID takes this to the next level by adding a wireless access point, to allow for remote control of the hardware and keystrokes.

Bad actors will modify regular USB devices to hide their hardware in plain sight, making it hard to detect visually.

How can I defend against this weaponized hardware? Does Windows Defender ATP detect RubberDucky’s? And what role can Microsoft Intune play in securing the endpoint?

Quack, quack, let’s go duckhunting :-)

Physical security is important

About a year ago, in April 2018, the Dutch military intelligence agency (MIVD) stopped an attack by four Russian secret agents that physically travelled to The Hague, Netherlands to hack the OPCW, the international organization for the prohibition of chemical weapons.

The Russians had all sorts of equipment with them, ranging from rogue WIFI access points to USB hardware injection devices. MIVD found the operatives in the parking lot of the OPCW and seized their equipment, then expelling them from the country by putting them on a flight back to Russia the same evening.

It underlines the importance of physical security. If nation states target it, you can be certain that other bad actors will use it as a potential attack vector as well. And while many companies have some investments in physical security (parking gates, door access, etc.) they typically do not go as far as locking down USB access, safeguard peripherals etc.

Hardware Injection Devices

One of the bigger types of physical attacks are hardware injection devices that do automated key injection attacks. These attacks, as the name suggests, group all attacks where pre-programmed keystrokes are injected into the system. This injection can be done in different ways, for example by USB devices pretending to be a keyboard.

The intrinsic problem with these attacks is that they exploit the very basic trust between the computer and the user input peripherals (mouse, keyboard). In other words: a computer won’t be able to distinguish between a good user or a bad user.

One of the most known rogue HID devices is called RubberDucky. You can create one yourself by converting a regular USB stick, or buy one on the internet. There are lots of blogs, GitHub repositories and other places on the internet that learn you how to prepare the device with a ‘payload’.

Hiding in plain sight

These HID devices however might be easy to spot if they are visually present in the USB port of the computer. The user will likely then call in that unknown device to the IT or security department, and the hack gets stopped in its tracks. As red teams aim to persist, so that they can access the network over time when needed, they are coming up with ways to “cover up” their USB devices. That’s why more advanced red teams and/or bad actors will hide their rogue equipment in objects that the user regularly uses with their device, for instance in USB mice, USB keyboards, or things like USB lamps, etc.

Hiding your rogue HID device in another object takes some effort. You would likely want to prepare ahead of time because it will involve soldering, testing, etc. Therefore, you would need to know the brand and model they are using, so that it blends in, therefore requiring you to do some reconnaissance and/or OSINT ahead of time. And you would also need the physical “space” to put your device into the other object; something that would obviously not work if the company for instance uses the Surface Arc Mouse.

Don’t underestimate supply chain attacks

One other thing to consider in this context is the potential of bad actors attacking the supply chain. And although on first thought that might not be the easiest thing to do, there is a lot of potential to it when you consider how many enterprises use outside providers to ‘prepare’ their endpoints with for instance OS images and/or let those firms add custom materials to the package so that it shows up to the end user with all the corporate requirements fulfilled.

What if those outside providers get targeted? And your mice get switched out for rogue ones? How would you see that? What measures does your outside provider have in place?

Weaponizing a mouse

To make this a real-world example, I wanted to weaponize a mouse myself. So, what would I need to get this done?

At least a hardware injection device; I choose the Cactus WHID because it has a wireless connection for remote control, is cheap, is small enough, and is pre-installed with ESPloit v2 which has a large collection of pre-fabricated payloads. I would need a USB hub tiny enough to fit into a small space together with the Cactus WHID; I choose a Nano USB hub. Last but not least, I would need a mouse with enough ‘free space’ to embed all the elements inside; the Microsoft Intellimouse is the perfect choice for that and is less suspected because of having the Microsoft logo on it.

This became my shopping list:

The high-level steps I would need to follow: open the mouse, cut the USB cable, solder the USB Nano hub to the hub ‘input port’, solder the mouse connector to ‘output port 1’, and then solder the Cactus WHID to ‘output port 2’. And lastly, put the mouse back together again.

Here are pictures from the actual process:

PRO TIP: make sure you have a good soldering iron. One that has a precision tip and a thermostat. That saves you from destroying your Nano hub during the soldering process. You will need the right tin, and a magnifying glass. I would also suggest removing the USB-A connection from the Cactus WHID board to save space.

Let’s try out our mouse-on-steroids in the real world

Our weaponized mouse is now ready for use. One you plug the mouse into an endpoint, the USB hub gets power and the Cactus WHID starts booting up. As the board is Arduino-based and the firmware and operating code is relatively light, the access point will be up within seconds.

The user won’t notice because he or she will just experience normal behavior; the mouse input works as expected (albeit now through the USB hub behind the scenes).

By default, ESploit v2 is pre-configured to power on a WIFI network with SSID ‘Exploit’ and passphrase ‘DotAgency’ that is visible. You can choose to make it hidden, rename it and/or change other settings such as manually choosing a channel.

As the bad actor, you sit remote and connect to the WIFI network and go to 192.168.1.1 (default username is ‘admin’ and default password is ‘hacktheplanet’). You get presented with a basic web interface which allows you to upload payloads to the storage and configure whether these should run now, at a specific time, or when the device powers up.

One of the neat things that ESploit v2 can do is to exfiltrate data. This provides you with an extra way to get data out of the target system, instead of needing to build a covert channel to the internet.

Detecting rogue HID devices

Every time a new external device is recognized by the system, Windows generates an entry in the Security eventlog with event ID 6416. You should collect these events and look at fields such as DeviceName and DeviceID to find rogue devices.

The Advanced Hunting feature of Windows Defender ATP and the powerful Kusto Query Language (KQL) make it very easy to hunt for these devices at scale.

Here’s a KQL query that you could use in Advanced Hunting in Windows Defender ATP to identify users, machines, and types of devices that are being used suspiciously:

If you want to search for specific devices, you can add a where clause to your KQL query and filter on the DeviceId field, in this example we’re looking specifically for the Cactus WHID device:
You could apply other filters in your hunting, for instance limiting the query to display only last 24 hours:
This matches with the hardware ID found for the Cactus WHID in the Windows device manager:

Defending against these types of attacks

What options would you have to defend against these types of attacks? First, you could always consider to physically secure access to the computer ports. However, I would suggest using a combination of Windows Defender and Microsoft Intune to provide a more enterprise-ready solution here.

In the Intune portal you can go to Device configuration, then Profiles, then Create profile. Give the profile a name, description, choose Windows 10 or later as the platform type, and Endpoint protection as the profile type. Click Configure, then Windows Defender Exploit Guard, then Attack Surface Reduction. For Unsigned and untrusted processes that run from USB, choose Block.

Or block removable devices all together by blocking the For Removable storage and USB connection (mobile only) and Removable storage includes USB drives, where USB connection (mobile only) settings.
Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, I would recommend only allowing specifically approved USB peripherals and limiting the users who can access them. Windows Defender allows installation and usage of only specifically approved peripherals by creating a custom profile in Intune and configuring DeviceInstallationpolicies. For example, this custom profile allows installation and usage of USB devices with hardware IDs “USBSTOR\DiskVendorCo” and “USBSTOR\DiskSanDisk_Cruzer_Glide_3.0”.
The Windows Defender ATP team is also on top of these hardware attacks. Using both a combination of well-known devices and their hardware ID’s, and machine learning, they will raise an alert in the Windows Defender ATP console to make you aware of the potential attack:
Another option to consider is implementing DuckHunt, an open source project by Pedro Sosa. DuckHunt is a free small efficient script that acts as a daemon consistently monitoring your keyboard usage that can catch and prevent a RubberDucky attack. Technically it helps prevent any type of automated keystroke injection attack, so weaponized mice are also covered.
Some payloads for RubberDucky will try and disable Windows Defender so that it does not get detected. Rest assured that you can prevent endpoints from deactivating Windows Defender and that any action that would potentially shut down Windows Defender will show up in the Windows Defender ATP console and will surely get follow up from the people in your company’s Security Operations Center :-)

Happy hunting ;-)

— Maarten Goet, MVP & RD