From 0a0e0207614be2320c1fd4df03c704cb2607071f Mon Sep 17 00:00:00 2001 From: egieb <93350544+beigeworm@users.noreply.github.com> Date: Wed, 12 Jun 2024 13:55:34 +0000 Subject: [PATCH] Add files via upload --- .../BadUSB-Detect-and-Protect.txt | 21 ++ BadUSB-Detect-and-Protect/main.ps1 | 233 ++++++++++++++++++ 2 files changed, 254 insertions(+) create mode 100644 BadUSB-Detect-and-Protect/BadUSB-Detect-and-Protect.txt create mode 100644 BadUSB-Detect-and-Protect/main.ps1 diff --git a/BadUSB-Detect-and-Protect/BadUSB-Detect-and-Protect.txt b/BadUSB-Detect-and-Protect/BadUSB-Detect-and-Protect.txt new file mode 100644 index 0000000..dea45db --- /dev/null +++ b/BadUSB-Detect-and-Protect/BadUSB-Detect-and-Protect.txt @@ -0,0 +1,21 @@ +REM Title: BadUSB Detect and Protect +REM Author: @beigeworm | https://github.com/beigeworm +REM Description: This script runs passively in the background waiting for any new usb devices. +REM Description: When a new USB device is connected to the machine this script monitors keypresses for 30 seconds. +REM Description: If there are 15 or more keypresses detected within 200 milliseconds it will attempt to disable the most recently connected USB device +REM Description: LOGS are stored in 'usblogs' in 'temp' folder +REM Target: Windows 10 + +REM *REQUIREMENTS* +REM admin required for disable USB function. + +REM some setup for dukie script. +DEFAULT_DELAY 100 + +REM open powershell (remove -W Hidden to show the window). +GUI r +DELAY 750 +STRING powershell -Exec Bypass -C irm https:// | iex +CTRL-SHIFT ENTER +DELAY 2500 +ALT y diff --git a/BadUSB-Detect-and-Protect/main.ps1 b/BadUSB-Detect-and-Protect/main.ps1 new file mode 100644 index 0000000..18e3986 --- /dev/null +++ b/BadUSB-Detect-and-Protect/main.ps1 @@ -0,0 +1,233 @@ +<# ================ BAD USB DETECTION AND PROTECTION =================== + +SYNOPSIS +This script runs passively in the background waiting for any new usb devices. +When a new USB device is connected to the machine this script monitors keypresses for 30 seconds. +If there are 15 or more keypresses detected within 200 milliseconds it will attempt to disable the most recently connected USB device + +USAGE +1. Run the script and follow instructions +2. A pop up will appear when monitoring is active and if a 'BadUSB' device is detected +3. logs are found in 'usblogs' folder in the temp directory. + +REQUIREMENTS +Admin privlages are required for removing any suspected devices (you can re-enable devices too) + +#> + +Add-Type -AssemblyName System.Drawing +Add-Type -AssemblyName System.Windows.Forms +Write-Host "Checking User Permissions.." -ForegroundColor DarkGray +If (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator')) { + Write-Host "Admin privileges needed for this script..." -ForegroundColor Red + Write-Host "This script will self elevate to run as an Administrator and continue." -ForegroundColor DarkGray + Start-Process PowerShell.exe -ArgumentList ("-NoP -Ep Bypass -File `"{0}`"" -f $PSCommandPath) -Verb RunAs + exit +} +else{ + sleep 1 + Write-Host "This script is running as Admin!" -ForegroundColor Green + New-Item -ItemType Directory -Path "$env:TEMP\usblogs\" + cls + $enable = Read-Host "Re-enable All Devices? (y/n) " + $hidden = Read-Host "Hide This Window (y/n) " +} + + +If ($hidden -eq 'y'){ + Write-Host "Hiding the Window.." -ForegroundColor Red + sleep 1 + $Async = '[DllImport("user32.dll")] public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);' + $Type = Add-Type -MemberDefinition $Async -name Win32ShowWindowAsync -namespace Win32Functions -PassThru + $hwnd = (Get-Process -PID $pid).MainWindowHandle + if($hwnd -ne [System.IntPtr]::Zero){ + $Type::ShowWindowAsync($hwnd, 0) + } + else{ + $Host.UI.RawUI.WindowTitle = 'hideme' + $Proc = (Get-Process | Where-Object { $_.MainWindowTitle -eq 'hideme' }) + $hwnd = $Proc.MainWindowHandle + $Type::ShowWindowAsync($hwnd, 0) + } +} + +$usbDevices = Get-WmiObject -Query "SELECT * FROM Win32_PnPEntity WHERE PNPDeviceID LIKE 'USB%'" +$currentUSBDevices = @() +$newUSBDevices = @() +foreach ($device in $usbDevices) { + $deviceID = $device.DeviceID + $newUSBDevices += $deviceID +} +$currentUSBDevices = $newUSBDevices + + +function EnableDevices { + param ( + [string[]]$deviceIDs + ) + + foreach ($deviceID in $deviceIDs) { + try { + Write-Host "Attempting to enable device with ID: $deviceID" -ForegroundColor Yellow + $pnpDevice = Get-PnpDevice -InstanceId $deviceID -ErrorAction Stop + if ($pnpDevice.Status -ne 'OK') { + Enable-PnpDevice -InstanceId $deviceID -Confirm:$false -ErrorAction Stop + Write-Host "Successfully enabled device with ID: $deviceID" -ForegroundColor Green + } else { + Write-Host "Device with ID: $deviceID is already enabled." -ForegroundColor Blue + } + } catch { + Write-Host "Error enabling device with ID: $deviceID. $_" -ForegroundColor Red + } + } +} +if ($enable -eq 'y'){ + EnableDevices -deviceIDs $newUSBDevices + cls + Write-Host "All Devices Enabled!" -ForegroundColor Green + sleep 1 + $2ndpass = Read-Host "Run Again? (sometimes required) [y/n]" + if ($2ndpass -eq 'y'){ + EnableDevices -deviceIDs $newUSBDevices + } + pause + exit +} +else{ + "" | Out-File -FilePath "$env:TEMP\usblogs\ids.log" + "" | Out-File -FilePath "$env:TEMP\usblogs\monon.log" + Write-Host "Monitoring for devices.." -ForegroundColor Green + sleep 1 +} + + +$monitor = { + +Add-Type -AssemblyName System.Drawing +Add-Type -AssemblyName System.Windows.Forms + +$API = @' +[DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)] +public static extern short GetAsyncKeyState(int virtualKeyCode); +[DllImport("user32.dll", CharSet=CharSet.Auto)] +public static extern int GetKeyboardState(byte[] keystate); +[DllImport("user32.dll", CharSet=CharSet.Auto)] +public static extern int MapVirtualKey(uint uCode, int uMapType); +[DllImport("user32.dll", CharSet=CharSet.Auto)] +public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags); +'@ +$API = Add-Type -MemberDefinition $API -Name 'Win32' -Namespace API -PassThru + + +$balloon = { + +Add-Type -AssemblyName System.Drawing +Add-Type -AssemblyName System.Windows.Forms +$notify = New-Object System.Windows.Forms.NotifyIcon +$notify.Icon = [System.Drawing.SystemIcons]::Warning +$notify.Visible = $true +$balloonTipTitle = "WARNING" +$balloonTipText = "Bad USB Device Intercepted!" +$notify.ShowBalloonTip(30000, $balloonTipTitle, $balloonTipText, [System.Windows.Forms.ToolTipIcon]::WARNING) + +} + +function DisableDevices { + param ([string[]]$deviceIDs) + foreach ($deviceID in $deviceIDs) { + try { + "Attempting to disable device with ID: $deviceID" | Out-File -FilePath "$env:TEMP\usblogs\log.log" -Append + $pnpDevice = Get-PnpDevice -InstanceId $deviceID -ErrorAction Stop + if ($pnpDevice.Status -eq 'OK') { + Disable-PnpDevice -InstanceId $deviceID -Confirm:$false -ErrorAction Stop + "Successfully disabled device with ID: $deviceID" | Out-File -FilePath "$env:TEMP\usblogs\log.log" -Append + } else { + "Device with ID: $deviceID is not in an 'OK' state and cannot be disabled." | Out-File -FilePath "$env:TEMP\usblogs\log.log" -Append + } + } catch { + "Error disabling device with ID: $deviceID. $_" | Out-File -FilePath "$env:TEMP\usblogs\log.log" -Append + } + } +} + +function MonitorKeys { + + $startTime = $null + $keypressCount = 0 + $initTime = Get-Date + while ($MonitorTime -lt $initTime.AddSeconds(30)) { + $stopjob = Get-Content "$env:TEMP\usblogs\monon.log" + if ($stopjob -eq 'true'){"killed monitoring for: $deviceID" | Out-File -FilePath "$env:TEMP\usblogs\log.log" -Append ;exit} + $MonitorTime = Get-Date + Start-Sleep -Milliseconds 10 + for ($i = 8; $i -lt 256; $i++) { + $keyState = $API::GetAsyncKeyState($i) + if ($keyState -eq -32767) { + if (-not $startTime) { + $startTime = Get-Date + } + $keypressCount++ + } + } + + if ($startTime -and (New-TimeSpan -Start $startTime).TotalMilliseconds -ge 200) { + if ($keypressCount -gt 14) { + $script:newUSBDeviceIDs = Get-Content "$env:TEMP\usblogs\ids.log" + Start-Job -ScriptBlock $balloon -Name BallonIcon + DisableDevices -deviceIDs $script:newUSBDeviceIDs + + } + $startTime = $null + $keypressCount = 0 + + } + } + +} +MonitorKeys +} + +function CheckNew { + $usbDevices = Get-WmiObject -Query "SELECT * FROM Win32_PnPEntity WHERE PNPDeviceID LIKE 'USB%'" + $newUSBDevices = @() + $newUSBDeviceIDs = @() + foreach ($device in $usbDevices) { + $deviceID = $device.DeviceID + $newUSBDevices += $deviceID + if ($currentUSBDevices -notcontains $deviceID) { + Write-Host "New USB device added: $($device.Name) ID: $($deviceID)" + $script:match = $true + $newUSBDeviceIDs += $deviceID -split "," | Out-File -FilePath "$env:TEMP\usblogs\ids.log" -Append + } + } + + $global:currentUSBDevices = $newUSBDevices + $global:newUSBDeviceIDs = $newUSBDeviceIDs +} + +$notify = New-Object System.Windows.Forms.NotifyIcon +$notify.Icon = [System.Drawing.SystemIcons]::Shield +$notify.Visible = $true +$balloonTipTitle = "USB Monitoring" +$balloonTipText = "BadUSB Monitoring Active.." +$notify.ShowBalloonTip(30000, $balloonTipTitle, $balloonTipText, [System.Windows.Forms.ToolTipIcon]::Info) + +while ($true) { + + CheckNew + if ($match){ + Write-Host "Monitoring Keys" + $jobon = Get-Job -Name Monitor + if ($jobon){ + "true" | Out-File -FilePath "$env:TEMP\usblogs\monon.log" + sleep -Milliseconds 500 + } + $script:match = $false + "false" | Out-File -FilePath "$env:TEMP\usblogs\monon.log" + Start-Job -ScriptBlock $monitor -Name Monitor + } + + sleep -Milliseconds 500 + +} +