Understanding Malicious USB Stick Behavior and Mitigation Techniques

Listen to this Post

We talked about infected USB sticks before [1]. The EDR on a customer site picked up malicious behavior, including the commands:

[cmd]
cmd.exe /c “”D:\rootdir\x943368.bat”
[/cmd]

and

[cmd]
xcopy “C:\Windows\System32\printui.exe” “C:\Windows \System32” /Y
[/cmd]

This behavior aligns with the tactics described in the Red Canary blog post here [2].

The USB stick was plugged into three different devices, resulting in alerts on these hosts. As pointed out in the beginning, alerts from malicious USB sticks are common, and one must also raise awareness amongst users about the dangers of malicious code on USB sticks.

[1] https://lnkd.in/e3Hw236F
[2] https://lnkd.in/eXNgvsWF

Practice Verified Codes and Commands:

1. Detecting Malicious USB Activity on Windows:

[cmd]
wmic path Win32_USBControllerDevice get Dependent
[/cmd]

This command lists all connected USB devices.

2. Monitoring USB Insertion Events in Linux:

tail -f /var/log/syslog | grep -i usb

This command monitors USB insertion events in real-time.

3. Disabling USB Storage on Windows:

[cmd]
reg add “HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR” /v Start /t REG_DWORD /d 4 /f
[/cmd]
This command disables USB storage by modifying the registry.

4. Enabling USB Write Protection on Linux:

echo 1 > /sys/bus/usb/drivers/usb-storage/parameters/usb_storage_write_protect

This command enables write protection for USB storage devices.

5. Scanning for Malicious Files on USB:

clamscan -r /media/usb

This command scans a USB drive for malware using ClamAV.

6. Blocking USB Devices on Linux:

echo "blacklist usb_storage" | sudo tee -a /etc/modprobe.d/blacklist.conf

This command blocks USB storage devices by blacklisting the module.

7. Auditing USB Usage on Windows:

[cmd]
auditpol /set /subcategory:”Removable Storage” /success:enable /failure:enable
[/cmd]

This command enables auditing for removable storage usage.

What Undercode Say:

The threat posed by malicious USB sticks is a persistent issue in cybersecurity. These devices can execute arbitrary commands, copy malicious files, and spread malware across networks. To mitigate these risks, it is crucial to implement both technical controls and user awareness programs.

On Windows, commands like `wmic` and `auditpol` can help monitor and control USB usage. Disabling USB storage via the registry or enabling write protection can prevent unauthorized data transfers. On Linux, commands like `tail -f /var/log/syslog` and `echo 1 > /sys/bus/usb/drivers/usb-storage/parameters/usb_storage_write_protect` provide real-time monitoring and write protection capabilities.

Regularly scanning USB devices with tools like ClamAV (clamscan -r /media/usb) can detect and remove malicious files. Additionally, blacklisting USB storage modules (echo "blacklist usb_storage" | sudo tee -a /etc/modprobe.d/blacklist.conf) can prevent unauthorized USB usage on Linux systems.

User education is equally important. Employees should be trained to recognize the risks of using unknown USB devices and to report suspicious activity. Combining technical controls with user awareness creates a robust defense against USB-based threats.

For further reading, refer to the Red Canary blog post [2] and the original discussion on infected USB sticks [1]. These resources provide deeper insights into the tactics used by attackers and effective mitigation strategies.

[1] https://lnkd.in/e3Hw236F
[2] https://lnkd.in/eXNgvsWF

References:

Hackers Feeds, Undercode AIFeatured Image