[{"_1":2,"_33":-5,"_34":-5},"loaderData",{"_3":4},"routes/challenges.$slug",{"_5":6},"challenge",{"_7":8,"_9":10,"_11":12,"_13":14,"_15":16,"_17":18,"_19":20,"_21":22,"_23":24,"_30":31},"slug","specific-ducky","name","Specific Ducky","category","Digital Forensics","description","A suspicious USB device triggered an automated PowerShell payload on an employee workstation, but the malware never fully executed. Analyze the captured USB traffic, recover the injected commands, and trace the hidden infrastructure the payload attempted to contact. Flag format: flag{*****************.******.**}","descriptionHtml","

A suspicious USB device triggered an automated PowerShell payload on an employee workstation, but the malware never fully executed. Analyze the captured USB traffic, recover the injected commands, and trace the hidden infrastructure the payload attempted to contact.

Flag format: flag{*****************.******.**}

","labDetails","Prerequisites & Requirements Protocol Analysis: Proficiency with Wireshark, specifically filtering URB (USB Request Block) traffic and HID report descriptors. USB HID Specifications: Fundamental understanding of usage pages and how keyboard scan codes are mapped to characters. PowerShell Analysis: Ability to deobfuscate and refactor scripts utilizing bxor and system-level environment variables. Environmental Keying: Understanding how malware uses system metadata (like Keyboard Layout IDs) as cryptographic seeds to evade sandboxes. What will you learn? HID Forensics: Programmatically extracting and parsing raw USB interrupt data to reconstruct attacker keystrokes. Keystroke Injection Analysis: Identifying \"Rubber Ducky\" style attacks and recovering the automated payloads they inject. Cryptographic Recovery: Identifying logical errors in PowerShell scripts and performing a dictionary-based brute-force attack against LCIDs (Locale IDs). C2 Discovery: Recovering hidden Command and Control (C2) domains from encrypted stage-1 payloads. Tools Forensics: Wireshark (USBPcap) Automation: Python (with pyshark for automated packet parsing) Reference: Microsoft MSDN (Keyboard Layout and HID Usage tables)","labDetailsHtml","

Prerequisites & Requirements

Protocol Analysis: Proficiency with Wireshark, specifically filtering URB (USB Request Block) traffic and HID report descriptors.
USB HID Specifications: Fundamental understanding of usage pages and how keyboard scan codes are mapped to characters.
PowerShell Analysis: Ability to deobfuscate and refactor scripts utilizing bxor and system-level environment variables.
Environmental Keying: Understanding how malware uses system metadata (like Keyboard Layout IDs) as cryptographic seeds to evade sandboxes.

What will you learn?

HID Forensics: Programmatically extracting and parsing raw USB interrupt data to reconstruct attacker keystrokes.
Keystroke Injection Analysis: Identifying \"Rubber Ducky\" style attacks and recovering the automated payloads they inject.
Cryptographic Recovery: Identifying logical errors in PowerShell scripts and performing a dictionary-based brute-force attack against LCIDs (Locale IDs).
C2 Discovery: Recovering hidden Command and Control (C2) domains from encrypted stage-1 payloads.

Tools

Forensics: Wireshark (USBPcap)
Automation: Python (with pyshark for automated packet parsing)
Reference: Microsoft MSDN (Keyboard Layout and HID Usage tables)

","level","Medium","tags",[25,26,27,28,29],"Wireshark","Packet Capture","Network Forensics","Usb Device History","Os Artifacts","jobPositions",[32],"Digital Forensics Analyst","actionData","errors"]

Specific Ducky

Overview

Job Positions

Tags