Add HID Sentinel IR v1.0 - Lightweight Anti-BadUSB Defensive Framework#583
Add HID Sentinel IR v1.0 - Lightweight Anti-BadUSB Defensive Framework#583sucloudflare wants to merge 11 commits into
Conversation
Added payload script for HID Sentinel IR v1.0 to detect rogue USB devices and suspicious PowerShell activity.
Added README.md with project details and usage instructions.
Updated the description and improved the delay timings. Removed active protection code and replaced it with a command to open a dashboard.
Updated the description and improved logging for rogue USB detection and PowerShell monitoring.
Updated README to enhance clarity and detail about the framework's purpose and usage.
Updated logging messages and adjusted sleep duration for USB detection.
There was a problem hiding this comment.
You have placed your payload in the wrong directory. Please ensure that your payloads are uploaded to the correct directory: payloads/library/CATEGORY/PAYLOAD_NAME/payload.txt
| REM Version: 1.0 | ||
| REM Category: Incident Response | ||
| REM ============================================= | ||
|
|
There was a problem hiding this comment.
Consider using EXTENSION PASSIVE_WINDOWS_DETECT the extension allows for the USB rubber ducky to dynamically detect when the target is accepting keystroke removing the need for a long start delay. Also allows you to add a guard statement to ensure the target is windows
for example
IF ($_OS != WINDOWS)
LED_R
STOP_PAYLOAD
END_IF
| REM === Launch HID Sentinel IR === | ||
| GUI r | ||
| DELAY 700 | ||
| STRING powershell -NoP -Ep Bypass -W Hidden -C "$Host.UI.RawUI.WindowTitle='HID Sentinel IR v1.0';function Log{param($m,$l='INFO');$t=Get-Date -Format 'HH:mm:ss';\"[$t] [$l] $m\"|Out-File 'C:\Windows\Temp\sentinel.log'-Append -Encoding UTF8;Write-Host \"[$l] $m\" -ForegroundColor(@{INFO='White';WARN='Yellow';ALERT='Red';SUCCESS='Green'}[$l])};Log 'HID Sentinel IR v1.0 started - Anti-BadUSB Protection' 'SUCCESS';Register-WmiEvent -Class Win32_DeviceChangeEvent -SourceIdentifier 'USBChange' -Action {if($Event.SourceEventArgs.NewEvent.EventType -eq 2){Start-Sleep -Milliseconds 700;$u=Get-PnpDevice -Class USB|Where-Object Status -eq 'OK'|Select-Object -Last 5;foreach($d in $u){if($d.FriendlyName -match '(?i)Rubber Ducky|BadUSB|HID Injector|Attack'){Log \"ROGUE BADUSB DETECTED: $($d.FriendlyName)\" 'ALERT'}}}};while($true){Get-Process -Name 'powershell*' -EA 0|Where-Object{$_.CommandLine -match '(?i)iex|downloadstring|invoke-webrequest'}|ForEach-Object{Log \"Suspicious PowerShell detected (PID: $($_.Id))\" 'WARN'};Start-Sleep -Seconds 12}" |
There was a problem hiding this comment.
You can use STRINGLN instead of STRING and immediately next line ENTER it has the same functionality and makes the code cleaner and easier to read
STRINGLN example will work the same as
STRING example
ENTER
|
Thanks for the review. All requested changes have been applied:
The PR is updated and ready for re-review. |
| REM Category: Incident Response | ||
| REM ============================================= | ||
|
|
||
| EXTENSION PASSIVE_WINDOWS_DETECT |
There was a problem hiding this comment.
You are missing the extension content, you can find the extension content here: https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/passive_windows_detect.txt or in payloadstudio
|
Added the full PASSIVE_WINDOWS_DETECT extension content (commit d68c5dd), copied directly from payloads/extensions/passive_windows_detect.txt. PR is ready for re-review. |
HID Sentinel IR v1.0
Category: Incident Response
Description:
Lightweight defensive payload that turns the Rubber Ducky into a portable Anti-BadUSB sentinel.
Detects rogue USB devices in real-time using WMI and monitors suspicious PowerShell activity commonly used in HID attacks.
Features:
C:\Windows\Temp\sentinel.logHow to use:
Copy
payload.txtto the root of the Rubber Ducky and insert into target.Purpose: Ethical defensive use for Blue Team, labs and Red/Blue Team training.
Made for Hak5 Payload Awards.