Jump to content

Archived

This topic is now archived and is closed to further replies.

Sopyan

Windows Defender picking up despite ducky being empty?

Recommended Posts

Hey, I played around with the ducky for a while now and Windows Defender seems to be picking up the ducky right before it even GUI r's to power shell and download a malicious exe.

 

i plug it in. It's detected... 

 

nothing malicious is on that ducky at all, just the bin file that would run powershell but it doesn't even get to that stage to even get to download the exe (which would make sense to be picked up)

Share this post


Link to post
Share on other sites
20 minutes ago, Sopyan said:

Hey, I played around with the ducky for a while now and Windows Defender seems to be picking up the ducky right before it even GUI r's to power shell and download a malicious exe.

 

i plug it in. It's detected... 

 

nothing malicious is on that ducky at all, just the bin file that would run powershell but it doesn't even get to that stage to even get to download the exe (which would make sense to be picked up)

Possibly need to change the VID/PID of the ducky, Maybe even a rename.

Share this post


Link to post
Share on other sites
On 10/8/2017 at 12:04 PM, Just_a_User said:

Possibly need to change the VID/PID of the ducky, Maybe even a rename.

I did that, generated the vidpid.bin file and placed it in the sd. But somehow it doesn't run.. What am I doing wrong, is there any firmware update?

Share this post


Link to post
Share on other sites
6 hours ago, Sopyan said:

is there any firmware update?

Im not sure which firmware your running, Maybe try a reflash with c_duck_v2.1.hex. From memory the 2.1's have the part that looks for the vidpid.bin. Alternativly there was a way to edit the vidpid directly on the firmware using a hex editor but i haven't done this myself.

Share this post


Link to post
Share on other sites
On ‎08‎/‎10‎/‎2017 at 10:41 AM, Sopyan said:

Hey, I played around with the ducky for a while now and Windows Defender seems to be picking up the ducky right before it even GUI r's to power shell and download a malicious exe.

 

i plug it in. It's detected... 

 

nothing malicious is on that ducky at all, just the bin file that would run powershell but it doesn't even get to that stage to even get to download the exe (which would make sense to be picked up)

From what you're saying here, I'm guessing you have firmware installed that allows the ducky to be read as a storage device as well as a HID.

Windows Defender is either finding your malicious exe on the ducky, or if it's not on the ducky then it recognises the URL that the malicious exe is being downloaded from as being potentially dodgy (if you've run it once before successfully, and then it started getting picked up after this, this is probably the case).

I'd set your ducky back to the original firmware and re-flash. If it still finds something malicious, try changing the URL the exe is located via.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...