Overview
If a malicious hardware device which probably looks like an usual USB key is plugged into the USB port of a PC but then act like a keyboard, we are talking about Human Interface Device (HID) Attacks. This attacks are known since many years but recently gain popularity.
A reasons for the increasing popularity of the attacks might be the availability of cheap hardware which can be used for the attacks. Also the hardware has become more reliable and easier to handle over time.
Spreading malicious USB sticks around at the location of the target is a known attack vector since years and proves still useful for awareness raising campaigns. However, to implement a successful targeted attack it is recommend to get physical access to the targeted company, respectively to the targeted network or PC.
Some of the most powerful attacks need access to an unlocked and unattended PC - this attack is sometimes referred to as USB Drive-By. However, some specific attacks do not need this - they just require access to a PC’s USB plug of an even locked PC to perform malicious activities. This second attack scenario is not covered within this article.
From a forensic investigator’s point of view these attacks raise the question about the potential to collect indicators of compromise: what evidences could be found on a PC targeted by an HID Attack?
We setup a virtual scenario for this exercise
To analyse such a situation, we set up a Window 7 professional workstation which is not connected to a windows domain. The system runs with default settings. We do not activate any additional logging or auditing features.
The user boots up the PC and logs in. Then, for some reason, the user lets the PC unattended for some minutes.
The attacker inserts a pre-programed HID device into the USB port of the PC. The attack itself is described in detail below.
Some minutes later the user comes back, detects that something went wrong and shuts down the PC.
The attack in detail
The attack is performed with an USB Rubber Ducky. The device acts like an USB keyboard and is prepared with a Ducky Script.
The script simulates the listed keyboard activities:
-
Part 1: Adding a user – Press The run key – Instruct Powershell to start a command line interface with privileged rights – Add a mailicious user with defined password – Assign the user to the local administrators group
-
Part 2: Some network activities – Press the run key – Open a command line interface and ping an IP address
-
Part 3: Execute a crypto ransomware – Press the run key – Execute the malware stored at users desktop
Outcome
After the PC is shut down we do a classical file-system postmortem forensic analysis with main focus on the filesystem timeline, the registry and the eventlogs.
Easy to identify are the system boot, the user login as well as the shutdown of the PC. It is also possible to detect that the user reviewed his home folder rights before shutting down the PC.
In the context of the attack it is possible to identify that an HID device gets connected to an USB port and that a keyboard driver gets assigned to it.
Example: Registry System hive
ControlSet001\Enum\USB
VID_03EB&PID_2401 [Tue Jan 30 16:31:20 2018]
S/N: 5&18f54cb7&0&2 [Tue Jan 30 16:31:21 2018]
ControlSet001\Services
Tue Jan 30 16:31:21 2018Z
Name = kbdhid
Display = Keyboard HID Driver
ImagePath = system32\DRIVERS\kbdhid.sys
Type = Kernel driver
Start = Manual
Group = Keyboard Port
Also most of the performed activities could be discovered. It is possible to trace back all the commands entered into the run dialog by the attacker. We could also uncover the network aktivities and the execution of the malware.
Example: Registry NTUSER.DAT hive
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
LastWrite Time Tue Jan 30 16:32:09 2018 (UTC)
MRUList = cba
a powershell Start-Process cmd -Verb runAs\1
b cmd /C "start /MIN cmd /C ping -n 10 127.0.0.1"\1
c "C:\Users\Locky\Desktop\Test Folder\ccc\1.exe"\1
We could detect that a new user account is created and that he is added to the local administrators group.
Example: Eventlog Security.evtx
3217 Audit Success 1/30/2018 4:31:42 PM
4732 Security Group Management Demo-PC
A member was added to a security-enabled local group.
Subject:
Security ID: S-1-5-21-4212223026-3181619266-2879170966-1000
Account Name: Locky
Account Domain: Demo-PC
Logon ID: 0x1b9ac
Member:
Security ID: S-1-5-21-4212223026-3181619266-2879170966-1001
Account Name: -
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
There are clear traces in the timeline when the crypto ransomware starts doing its job, and when it finished.
Example: Filesystem timeline
Tue Jan 30 2018 17:32:17
670 .a.b 15788-128-4 /Users/Locky/Documents/recover_file_vvvtnijqm.txt.vvv
2401 macb 18109-128-4 /ProgramData/how_recover+fye.txt
6921 macb 18129-128-4 /ProgramData/how_recover+fye.html
.....
.....
Tue Jan 30 2018 17:32:34
2401 macb 43903-128-4 /Users/Public/how_recover+fye.txt
6921 macb 43904-128-4 /Users/Public/how_recover+fye.html
2401 macb 43905-128-4 /Users/Locky/Desktop/Howto_RESTORE_FILES.txt
6921 macb 43906-128-4 /Users/Locky/Desktop/Howto_RESTORE_FILES.html
3452054 macb 43907-128-4 /Users/Locky/Desktop/Howto_RESTORE_FILES.bmp
These are just some of the key findings. More interesting findings can be found in the raw technical report.
Summary
It is possible to identify the event of HID hardware connected to an USB interface and correlate it with the driver installation and the related activities performed on the system.
However to get the bests results it is important to immediately perform a forensic sound acquisition of the compromised PC.
Contact
If you have any question or suggestion about this topic, feel free to contact us. If you know other HID attacks or malicious devices acting on HID, we would be interested to get technical details in order to improve this document.
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
Revision of the text (not the table)
- Version 1.0 - 05 February 2018 - TLP:WHITE