Detecting a Rubber Ducky USB Attack with Digital Guardian Advanced Threat Protection (Video Demo)
Our latest video demonstrates how Digital Guardian Advanced Threat Protection can detect and block a Rubber Ducky USB attack.
Between the buzz from the second season of Mr. Robot and another year of record-setting attendance at the BlackHat and Defcon conferences, the Hak5 team must be overflowing with requests for their consumer “hacking” hardware devices, of which a popular device called the “Rubber Ducky” finds its way home to all corners of the earth. The Rubber Ducky is an inconspicuous, USB-based device that has grown into a “full-fledged commercial Keystroke Injection Attack Platform.” Touting it as a favorite tool among hackers, pentesters and IT professionals for social engineering, Hak5’s store page quaintly lays out the trust paradigm that its makers look to abuse: “If it quacks like a keyboard and types like a keyboard, it must be a keyboard… Humans use keyboards. Computers trust humans.”
Mr. Robot Rubber Ducky GIF via Hak5.
No doubt as a result, we’ve had some questions come up recently from some clients about the ability to detect some of these more nefarious hardware-based attacks. Some may say that these types of attacks are probably more mainstream in Hollywood endeavors than in your normal Fortune 500, but those who investigate corporate espionage and follow some of the hardware-based devices leaked from the NSA’s ANT (presumably the Advanced Network Technology) division might say otherwise. (SouffleTrough or IrateMonk sound interesting?)
The device, for those who haven’t had the pleasure to play, er… employ one in their corporate environments or unsuspecting family members’ computers, is quite simple. Create a script of all the information you want to gather and how you want to transport it off the machine (e.g. save it to USB, or email it to a drop account, etc.), run the script through an encoder, copy the resultant .bin encoded commands to the Rubber Ducky, and simply plug it in to your target machine and wait. The USB is designed to look like a HID (Human Interface Device) keyboard and not a USB storage device, and as such, is happily loaded by the OS. The encoded commands are then “injected” as if the user was typing the commands at the keyboard. For all you keyboard ninjas stockpiling away keyboard shortcuts, you realize this as your calling.
The sample video below shows a Windows 8.1 laptop with a DG Agent running Advanced Threat Protection in monitor and then subsequently in protect mode. The Windows OS version is largely irrelevant as this functionality highlights the DG Agent’s contextual ability to log and/or control the computer, in this particular case, based on loaded drivers. Although this physical attack vector is extremely difficult to mitigate for most environments, we can easily create a simple rule that looks for a keyboard HID driver being loaded (kbdhid.sys in this case, for example) and ran, with subsequent processes that are used to gather information systematically from a commandline (e.g. – PowerShell, cmd.exe, wmic, Notepad to generate local scripts, etc.).
The example video shows a rubber ducky being inserted and allowed to run with the DG Agent in detect-only mode. We see a run box kicking off PowerShell, which in turn executes Notepad in order to create its very own PowerShell script locally. There’s no need for outbound internet access to grab a payload since this device is basically mimicking a user at your keyboard with a near superhuman ability of over 1,000 words per minute scripted keystrokes. The default Ducky payloads provided on the web usually attempt to move the windows out of sight, but those commands were omitted for sake of the video.
We can see after the initial run, the Rubber Ducky finishes creating its quick PowerShell script and is able to execute it. Shortly afterwards, a zipped Report.zip folder appears on the desktop with a copy of the computer’s SAM file for some password cracking fun later and a report of some computer information which could include patches, firewall status, and installed program versions. It can also be programmed to quickly uninstall certain patches, add or remove local firewall rules or do other activities depending on how much time you have, what kind of user you’ve targeted, and if you’re predisposed to recon or are more the active infiltration type.
After the initial run and being able to see some of the commands being generated from this keyboard-injected spoofing of a user from our management console, we enable the simple Ducky Detection rule and can see a stark contrast in the Rubber Ducky’s efficacy. Simple commands are now disallowed, blocked, and logged and this seemingly impossible-to-stop physical attack vector is thwarted, complete with a customized prompt to explain what we’re blocking in the background.
Ah – but not so fast. You say, “Well, I’ve still got physical control over the keyboard and can type other stuff where the Ducky failed.” That much is true, but we could configure the rule to disallow other commands and just as easily thwart any appreciable enumeration techniques, depending on your security posture appetite.
Ah – but not so fast, again! You say, “Well, so you’re triggering based on the contextual combination of events, which is clever enough, but since you’re triggering on the Ducky’s keyboard driver and it uses a generic Microsoft driver, what if the user uses a legitimate external keyboard!
First off, although I don’t have any empirical evidence, I’m going to go out on a limb and say this is likely a pretty rare attack. For the most part, and there are always exceptions, you will need physical access to the machine, someone to have walked away from their machine unlocked, time, and a scenario that doesn’t draw undue attention as to why you’re plugging something into someone else’s unlocked workstation. The other aspect goes to providing “proof” that you are at your workstation. We could add a simple additional factor in the form of a USB with a particular file or perhaps even a smartcard ID to the mix, whereby seeing both the keyboard driver with your “proof” allows you to go about your business. If you remove the “proof,” say when you’re going to grab a coffee, the machine goes into a locked down mode against commandline enumeration. This could work just as easily against someone attempting a “sticky key” type of entry as well if the machine was at a lockscreen and someone had figured out a way to modify your registry keys prior. Heck, we even had a prototype of a protection mechanism that was based on your smartphone’s Bluetooth signal years and years ago…
Suffice it to say, insider threats are one of the most difficult attacks to monitor and protect against. Digital Guardian proves its platform is again flexible and powerful enough to identify and even thwart a physical attack on a machine based on a combination of events within context. Nothing is ever perfect, but it’s nice to have options. And as is the case so often, context is key, baby. Hail to the king.
Rubber Ducky logo and images via Hak5.