The Latest in IT Security

Quickpost: Blocking and Detecting a Teensy Dropper

14
Jul
2011

A Teensy dropper presents itself as a keyboard (HID) to a PC and this is how it can be used to drop files even if you don’t allow removable drives.

You can prevent the installation of new HIDs, but this is an issue when you need to replace keyboards or mice. Irongeek has a good write-up.

Connected HIDs leave forensics traces in the registry, take a look under key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\

Connecting a Teensy leaves these entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_16c0&Pid_0482\6&31417f27&0&3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_16c0&Pid_0482&MI_00\7&becc88c&0&0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_16c0&Pid_0482&MI_01\7&becc88c&0&0001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_16c0&Pid_0482&MI_02\7&becc88c&0&0002


Quickpost info


Leave a reply


Categories

SUNDAY, AUGUST 18, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments

Social Networks