This document describes an experiment with main purpose to detect BadUSB attacks that utilize external Human Interaction Device hardware gadgets to inject keystrokes and acquire remote code execution. One of the main goals, is to detect such activity based on behavioral factors and allow everyone with a basic set of cognitive capabilities ,regardless of the user being a human or a computer, to identify anomalous speed related indicators but also correlate such speed changes with other elements such as commonly malicious processes like powershell processes being called in close proximity timing-wise, PnP device events occurring correlated with driver images loaded.
翻译:本文描述了一项实验,主要目的是检测利用外部人机交互设备硬件装置注入击键并获取远程代码执行的BadUSB攻击。主要目标之一是基于行为因素检测此类活动,使具备基本认知能力的任何人(无论是人类用户还是计算机)能够识别与异常速度相关的指标,并将此类速度变化与其他要素相关联,例如时间上接近调用的常见恶意进程(如PowerShell进程)、与加载的驱动程序映像相关联的即插即用设备事件。