Jump to content

Windows Defender picking up despite ducky being empty?


Sopyan

Recommended Posts

Hey, I played around with the ducky for a while now and Windows Defender seems to be picking up the ducky right before it even GUI r's to power shell and download a malicious exe.

 

i plug it in. It's detected... 

 

nothing malicious is on that ducky at all, just the bin file that would run powershell but it doesn't even get to that stage to even get to download the exe (which would make sense to be picked up)

Link to comment
Share on other sites

20 minutes ago, Sopyan said:

Hey, I played around with the ducky for a while now and Windows Defender seems to be picking up the ducky right before it even GUI r's to power shell and download a malicious exe.

 

i plug it in. It's detected... 

 

nothing malicious is on that ducky at all, just the bin file that would run powershell but it doesn't even get to that stage to even get to download the exe (which would make sense to be picked up)

Possibly need to change the VID/PID of the ducky, Maybe even a rename.

Link to comment
Share on other sites

On 10/8/2017 at 12:04 PM, Just_a_User said:

Possibly need to change the VID/PID of the ducky, Maybe even a rename.

I did that, generated the vidpid.bin file and placed it in the sd. But somehow it doesn't run.. What am I doing wrong, is there any firmware update?

Link to comment
Share on other sites

6 hours ago, Sopyan said:

is there any firmware update?

Im not sure which firmware your running, Maybe try a reflash with c_duck_v2.1.hex. From memory the 2.1's have the part that looks for the vidpid.bin. Alternativly there was a way to edit the vidpid directly on the firmware using a hex editor but i haven't done this myself.

Link to comment
Share on other sites

  • 4 weeks later...
On ‎08‎/‎10‎/‎2017 at 10:41 AM, Sopyan said:

Hey, I played around with the ducky for a while now and Windows Defender seems to be picking up the ducky right before it even GUI r's to power shell and download a malicious exe.

 

i plug it in. It's detected... 

 

nothing malicious is on that ducky at all, just the bin file that would run powershell but it doesn't even get to that stage to even get to download the exe (which would make sense to be picked up)

From what you're saying here, I'm guessing you have firmware installed that allows the ducky to be read as a storage device as well as a HID.

Windows Defender is either finding your malicious exe on the ducky, or if it's not on the ducky then it recognises the URL that the malicious exe is being downloaded from as being potentially dodgy (if you've run it once before successfully, and then it started getting picked up after this, this is probably the case).

I'd set your ducky back to the original firmware and re-flash. If it still finds something malicious, try changing the URL the exe is located via.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...