TR-52 - Forensic Analysis of an HID Attack

Overview

If a malicious hardware device which probably looks like an usual USB key is plugged into the USB port of a PC but then act like a keyboard, we are talking about Human Interface Device (HID) Attacks. This attacks are known since many years but recently gain popularity.

A reasons for the increasing popularity of the attacks might be the availability of cheap hardware which can be used for the attacks. Also the hardware has become more reliable and easier to handle over time.

Spreading malicious USB sticks around at the location of the target is a known attack vector since years and proves still useful for awareness raising campaigns. However, to implement a successful targeted attack it is recommend to get physical access to the targeted company, respectively to the targeted network or PC.

Some of the most powerful attacks need access to an unlocked and unattended PC - this attack is sometimes referred to as USB Drive-By. However, some specific attacks do not need this - they just require access to a PC’s USB plug of an even locked PC to perform malicious activities. This second attack scenario is not covered within this article.

From a forensic investigator’s point of view these attacks raise the question about the potential to collect indicators of compromise: what evidences could be found on a PC targeted by an HID Attack?

We setup a virtual scenario for this exercise

To analyse such a situation, we set up a Window 7 professional workstation which is not connected to a windows domain. The system runs with default settings. We do not activate any additional logging or auditing features.

The user boots up the PC and logs in. Then, for some reason, the user lets the PC unattended for some minutes.

The attacker inserts a pre-programed HID device into the USB port of the PC. The attack itself is described in detail below.

Some minutes later the user comes back, detects that something went wrong and shuts down the PC.

The attack in detail

The attack is performed with an USB Rubber Ducky. The device acts like an USB keyboard and is prepared with a Ducky Script.

The script simulates the listed keyboard activities:

  • Part 1: Adding a user – Press The run key – Instruct Powershell to start a command line interface with privileged rights – Add a mailicious user with defined password – Assign the user to the local administrators group

  • Part 2: Some network activities – Press the run key – Open a command line interface and ping an IP address

  • Part 3: Execute a crypto ransomware – Press the run key – Execute the malware stored at users desktop

Outcome

After the PC is shut down we do a classical file-system postmortem forensic analysis with main focus on the filesystem timeline, the registry and the eventlogs.

Easy to identify are the system boot, the user login as well as the shutdown of the PC. It is also possible to detect that the user reviewed his home folder rights before shutting down the PC.

In the context of the attack it is possible to identify that an HID device gets connected to an USB port and that a keyboard driver gets assigned to it.

Example: Registry System hive

ControlSet001\Enum\USB

	VID_03EB&PID_2401 [Tue Jan 30 16:31:20 2018]
	  S/N: 5&18f54cb7&0&2 [Tue Jan 30 16:31:21 2018]



ControlSet001\Services

		Tue Jan 30 16:31:21 2018Z
		  Name      = kbdhid
		  Display   = Keyboard HID Driver
		  ImagePath = system32\DRIVERS\kbdhid.sys
		  Type      = Kernel driver
		  Start     = Manual
		  Group     = Keyboard Port

Also most of the performed activities could be discovered. It is possible to trace back all the commands entered into the run dialog by the attacker. We could also uncover the network aktivities and the execution of the malware.

Example: Registry NTUSER.DAT hive

Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
LastWrite Time Tue Jan 30 16:32:09 2018 (UTC)
	MRUList = cba
	a   powershell Start-Process cmd -Verb runAs\1
	b   cmd /C "start /MIN cmd /C ping -n 10 127.0.0.1"\1
	c   "C:\Users\Locky\Desktop\Test Folder\ccc\1.exe"\1

We could detect that a new user account is created and that he is added to the local administrators group.

Example: Eventlog Security.evtx

3217 Audit Success 1/30/2018 4:31:42 PM
	4732 Security Group Management Demo-PC
	A member was added to a security-enabled local group.
	Subject:
	    Security ID:        S-1-5-21-4212223026-3181619266-2879170966-1000
	    Account Name:        Locky
	    Account Domain:        Demo-PC
	    Logon ID:        0x1b9ac
	Member:
	    Security ID:        S-1-5-21-4212223026-3181619266-2879170966-1001
	    Account Name:        -
	Group:
	    Security ID:        S-1-5-32-544
	    Group Name:        Administrators
	    Group Domain:        Builtin

There are clear traces in the timeline when the crypto ransomware starts doing its job, and when it finished.

Example: Filesystem timeline

Tue Jan 30 2018 17:32:17
       670 .a.b 15788-128-4 /Users/Locky/Documents/recover_file_vvvtnijqm.txt.vvv
      2401 macb 18109-128-4 /ProgramData/how_recover+fye.txt
      6921 macb 18129-128-4 /ProgramData/how_recover+fye.html
      .....
      .....
Tue Jan 30 2018 17:32:34
      2401 macb 43903-128-4 /Users/Public/how_recover+fye.txt
      6921 macb 43904-128-4 /Users/Public/how_recover+fye.html
      2401 macb 43905-128-4 /Users/Locky/Desktop/Howto_RESTORE_FILES.txt
      6921 macb 43906-128-4 /Users/Locky/Desktop/Howto_RESTORE_FILES.html
   3452054 macb 43907-128-4 /Users/Locky/Desktop/Howto_RESTORE_FILES.bmp

These are just some of the key findings. More interesting findings can be found in the raw technical report.

Summary

It is possible to identify the event of HID hardware connected to an USB interface and correlate it with the driver installation and the related activities performed on the system.

However to get the bests results it is important to immediately perform a forensic sound acquisition of the compromised PC.

Contact

If you have any question or suggestion about this topic, feel free to contact us. If you know other HID attacks or malicious devices acting on HID, we would be interested to get technical details in order to improve this document.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision of the text (not the table)

  • Version 1.0 - 05 February 2018 - TLP:WHITE