Skip to content

Add HID Sentinel IR v1.0 - Lightweight Anti-BadUSB Defensive Framework#583

Open
sucloudflare wants to merge 11 commits into
hak5:masterfrom
sucloudflare:master
Open

Add HID Sentinel IR v1.0 - Lightweight Anti-BadUSB Defensive Framework#583
sucloudflare wants to merge 11 commits into
hak5:masterfrom
sucloudflare:master

Conversation

@sucloudflare

Copy link
Copy Markdown

HID Sentinel IR v1.0

Category: Incident Response

Description:
Lightweight defensive payload that turns the Rubber Ducky into a portable Anti-BadUSB sentinel.
Detects rogue USB devices in real-time using WMI and monitors suspicious PowerShell activity commonly used in HID attacks.

Features:

  • Real-time rogue USB detection (BadUSB / HID Injectors)
  • Low-noise PowerShell behavioral monitoring
  • Simple forensic logging to C:\Windows\Temp\sentinel.log

How to use:
Copy payload.txt to the root of the Rubber Ducky and insert into target.

Purpose: Ethical defensive use for Blue Team, labs and Red/Blue Team training.

Made for Hak5 Payload Awards.

Added payload script for HID Sentinel IR v1.0 to detect rogue USB devices and suspicious PowerShell activity.
Added README.md with project details and usage instructions.
Updated the description and improved the delay timings. Removed active protection code and replaced it with a command to open a dashboard.
Updated the description and improved logging for rogue USB detection and PowerShell monitoring.
Updated README to enhance clarity and detail about the framework's purpose and usage.
Updated logging messages and adjusted sleep duration for USB detection.
Comment thread HID-Sentinel-IR/payload.txt Outdated

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You have placed your payload in the wrong directory. Please ensure that your payloads are uploaded to the correct directory: payloads/library/CATEGORY/PAYLOAD_NAME/payload.txt

Comment thread HID-Sentinel-IR/payload.txt Outdated
REM Version: 1.0
REM Category: Incident Response
REM =============================================

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider using EXTENSION PASSIVE_WINDOWS_DETECT the extension allows for the USB rubber ducky to dynamically detect when the target is accepting keystroke removing the need for a long start delay. Also allows you to add a guard statement to ensure the target is windows

for example

IF ($_OS != WINDOWS)                                                                                                                 
    LED_R                                                                                                                                       
    STOP_PAYLOAD 
END_IF

Comment thread HID-Sentinel-IR/payload.txt Outdated
REM === Launch HID Sentinel IR ===
GUI r
DELAY 700
STRING powershell -NoP -Ep Bypass -W Hidden -C "$Host.UI.RawUI.WindowTitle='HID Sentinel IR v1.0';function Log{param($m,$l='INFO');$t=Get-Date -Format 'HH:mm:ss';\"[$t] [$l] $m\"|Out-File 'C:\Windows\Temp\sentinel.log'-Append -Encoding UTF8;Write-Host \"[$l] $m\" -ForegroundColor(@{INFO='White';WARN='Yellow';ALERT='Red';SUCCESS='Green'}[$l])};Log 'HID Sentinel IR v1.0 started - Anti-BadUSB Protection' 'SUCCESS';Register-WmiEvent -Class Win32_DeviceChangeEvent -SourceIdentifier 'USBChange' -Action {if($Event.SourceEventArgs.NewEvent.EventType -eq 2){Start-Sleep -Milliseconds 700;$u=Get-PnpDevice -Class USB|Where-Object Status -eq 'OK'|Select-Object -Last 5;foreach($d in $u){if($d.FriendlyName -match '(?i)Rubber Ducky|BadUSB|HID Injector|Attack'){Log \"ROGUE BADUSB DETECTED: $($d.FriendlyName)\" 'ALERT'}}}};while($true){Get-Process -Name 'powershell*' -EA 0|Where-Object{$_.CommandLine -match '(?i)iex|downloadstring|invoke-webrequest'}|ForEach-Object{Log \"Suspicious PowerShell detected (PID: $($_.Id))\" 'WARN'};Start-Sleep -Seconds 12}"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use STRINGLN instead of STRING and immediately next line ENTER it has the same functionality and makes the code cleaner and easier to read

STRINGLN example will work the same as

STRING example
ENTER

@hak5peaks hak5peaks added the pending requested changes requires changes before merge label May 24, 2026
@sucloudflare

Copy link
Copy Markdown
Author

Thanks for the review.

All requested changes have been applied:

  • moved the payload to the correct directory structure
  • added EXTENSION PASSIVE_WINDOWS_DETECT
  • added Windows OS guard logic
  • replaced STRING with STRINGLN
  • added README documentation

The PR is updated and ready for re-review.

REM Category: Incident Response
REM =============================================

EXTENSION PASSIVE_WINDOWS_DETECT

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are missing the extension content, you can find the extension content here: https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/extensions/passive_windows_detect.txt or in payloadstudio

@sucloudflare

Copy link
Copy Markdown
Author

Added the full PASSIVE_WINDOWS_DETECT extension content (commit d68c5dd), copied directly from payloads/extensions/passive_windows_detect.txt. PR is ready for re-review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

pending requested changes requires changes before merge

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants