BSidesTLV 2023

It's Duck Season: Forensic Detection of BadUsb Attacks
2023-06-29, 12:20–12:45 (Europe/Oslo), Smolarz

During this study we explore deep parts of Windows systems and tryo to "excavate" useful logs so that we can behaviorally detect rubber duckies post-mortem. This study focuses on upper filter drivers, ETW, detection engineering and forensic logic.

-> Generic Intro
Here we discuss whoami and the targets of the study, things we wanted to avoid, suh as basing our detectons on hard-coded data and what we actually wanted, such as versatility and behavioral bases.
-> Abstract
Here we discuss the process of the srudy from buying the ducky at defcon 30's stores to using an old laptop to execute attacks on while monitoring certain data sources.
-> Tools of the trade and Rubber Ducky
Internals of the duck and purpose. Interface, characteristics, etc. Mostly info gathered from the manual.
-> ETW generic Intro
What is ETW , what are its positive sides. Where is it being used.
-> ETW drawbacks
Where would ETW fail and why?
-> KrabsETW
A quick tour of the library and functions-classes we used.
-> Upper Filters WDM - KMDF
A quick intro on kbdclass upper filters, problems faced and hacks to hook onto keystrokes.
-> Hooking the keyboard codes
Extends the previous.
-> Microsoft-Windows-Kernel-Process Provider
Discusses this specific ETW provider and how we used it.
-> Microsoft-Windows-Kernel-PnP Provider
Discusses this specific ETW provider and how we used it.
-> Our software's design
How does our software look, how does it run and what did we execute on the PC.
-> Detection Logic
We discuss the logic of detection based on speed combined with Image Load events , Interesting PnP entries and Processes Spawned.
-> Graph