Antonio Gabor
Certified Ethical Hacker and Network Security Engineer
Photo: CSO
Have you ever wondered how secure preinstalled security applications truly are? Can attackers bypass or disable them? How can we protect ourselves from such attacks?
Recently, I had the opportunity to explore several methods of bypassing Windows Defender EDR (Endpoint Detection and Response), and undoubtedly the easiest and fastest method is to use a USB device that includes a micro SD card reader and a programmable controller to emulate an HID device.
You might be wondering what HID (Human Interface Device) devices are. Simply put, they are devices that inherently gain trust from the operating system, such as a keyboard in this case. When a new keyboard is connected to a computer, the system automatically installs the necessary drivers, and the keyboard starts functioning magically.
In our case, the attack being used exploits this trust disposition by recognizing the BadUSB as an HID keyboard, which then executes a script stored on the micro SD card. Needless to say, these devices cannot be visually distinguished from ordinary USBs, and they are easily accessible and affordable.
There is a special language dedicated to these devices called DUCKY SCRIPTI won't go deep into the specifics of that standard here, but you can explore it yourself at the >>.
Using the script, we can create desired outcomes and, by employing various tricks and shortcuts available on the Windows operating system, we can cause damage ranging from harmless to complete system destruction and data loss.
You probably cherish those vacation photos from Greece, right? Well, they are gone forever. Of course, this is just one example of how this USB can be misused, and there are countless others.
Here's a short example of a Ducky script:
GUI r
DELAY 50
STRING notepad.exe
ENTER
DELAY 100
STRING Hello World
Completely harmless, you'd agree...
The first step of the attack is to input the shortcut for opening the run application: Win+R.
This allows us to launch any application available on our operating system.
It's crucial to record the precise keystrokes used on the keyboard, including the commands to disable Windows Defender protection and the necessary delays between each command to ensure their successful execution and achieve the desired result.
And this is what it looks like when everything is successfully executed.
This is just the starting point for compromising the system after the initial access, but it is undoubtedly one of the more critical steps in the Cyber Kill Chain. If our primary defense mechanism is disabled, the attacker can later install various malicious applications like mimikatz, gather the local administrator's passwords, and continue to compromise the computer network through lateral movement to other systems in the Windows Active Directory, all the way up to the domain admin.
Understanding such types of attacks is essential for defense ant to ensure the security of our systems and protect personal data from exfiltration. The technique for circumventing security systems, according to the Mitre Attack Matrix, falls under T1562 Impair Defenses, specifically T1562.001 Disable or Modify Tools .
How can we prevent attackers from successfully executing this attack?
We have a few options available that would be suitable for this purpose.
One approach is to implement security policies and group policies, together with modifying Windows Registries or using applications to block USB ports.
You can find useful information on how to protect against these attacks at the link provided.
Working at the Central Bank of Ireland, a similar approach was applied.
Naturally, this also prevented the exfiltration of sensitive and confidential documents through removable media.
To remove the possibility of running portable devices, follow these steps:
- Open Start.
- Pretražite “gpedit.msc” i kliknite OK da otvorite Local Group Policy Editor.
- Navigate to the following path: Computer Configuration > Administrative Templates > System > Removable Storage Access.
- Double-click the "Deny all access policy" policy on the right side twice.
- Access to removable storage
- Izaberite opciju “Omogućeno”.
- All removable storage classes deny all access policy
- Kliknite na dugme “Primeni”.
- Kliknite na dugme “U redu”.
- Restart the computer.
Although this may not be the best option, there are specialized devices designed to be connected to open USB ports and locked with a small padlock. Kensignton is a well-known manufacturer of physical security devices.
Last but not least, the Cyber Security Awareness training.User security training for using corporate devices and systems is invaluable, and it is desirable for all companies to implement it in some form or other. By emphasizing the importance of paying attention to details and the reality of these attacks, we can prevent them to a large extent.
Just one USB device planted in front of an office can potentially compromise the entire computer network and information systems, leading to bussiness disruption or sometime total loss of bussiness.
Stay vigilant and stay safe!