Storage Activity
Storage activity is an experimental feature which may be used to detect whether or not the storage device, when using
ATTACKMODE STORAGE is in use. This can be helpful when performing USB exfiltration. It can also be used to determine whether the storage device has been activated, useful for VID and PID enumeration.Results may vary greatly depending on target OS. Some operating systems may keep storage active for an exceptionally long time.
The
WAIT_FOR_STORAGE_ACTIVITY command blocks all further payload execution until activity on the USB Rubber Ducky storage has been detected.REM Example WAIT_FOR_STORAGE_ACTIVITY Payload
ATTACKMODE HID STORAGE
DELAY 2000
LED_OFF
STRINGLN Waiting for the disk to be read from or written to...
$_STORAGE_ACTIVITY_TIMEOUT = 10000
WAIT_FOR_STORAGE_ACTIVITY
LED_OFF
LED_R
- The LED will light red after storage activity has been detected.
The
WAIT_FOR_STORAGE_INACTIVITY command blocks all further payload execution until the storage device is determined to be inactive. REM Example WAIT_FOR_STORAGE_INACTIVITY Payload
ATTACKMODE HID STORAGE
DELAY 2000
LED_OFF
GUI r
DELAY 100
STRING powershell "$m=(Get-Volume -FileSystemLabel 'DUCKY').DriveLetter;
STRINGLN echo $env:computername >> $m:\computer_names.txt"
$_STORAGE_ACTIVITY_TIMEOUT = 10000
WAIT_FOR_STORAGE_INACTIVITY
LED_OFF
LED_R
- The LED will light red when the storage device becomes inactive.
The following internal variables relate to storage activity and may be used in your payload for advanced functions.
As payload is running, this value decrements if storage activity is not detected.
Default value is 1000.
Last modified 1yr ago