Home Blog Tags About

build a simple usb drop for an awareness campaign

13 March 2025

A USB drop is a type of social engineering attack where malicious USB drives are strategically placed in locations where they are likely to be found by unsuspecting individuals. Sounds like fun. Let’s build it.

Keeping it simple

This setup is not(!) about automatically execute malicious software or scripts, steal data, install malware, or create backdoors for attackers. Instead we (only) collect information about the following:

  • a USB Stick is connected to one of our client systems
  • a file is opened from the stick
  • a macro in a Microsoft Office Document has been activated
  • a username has been entered in a basic auth web request

Hopefully collecting and analyzing these information is enough for an awareness campaign to educate employees about the danger of connecting unknown USB devices to their computers.

What’s the idea

We use a webserver and/or Logging/Monitoring to document the interactions with the USB Sticks.

The plan:  

  • Inserting of the USB Sticks is logged by (for example) SCCM or Microsoft Defender
  • Every file contains a link to a file on our webserver.
  • If the file is opened this link is requested from the webserver
  • The webserver can request authentication
  • The webserver writes the requests to the access.log
  • We analyze the access.log
  • We present the result

Requirements

The following is needed:  

  • a Webserver (with control over the configuration)
  • USB Sticks
  • the following bash script to create the file/folder structure for the USB Drives
  • a PC where you can run a linux bash script
  • some Microsoft office documents with a macro inside
  • time

Script to create the USB Drives contents

The bash script require the following files  

  • copy.txt : list of files to copy to the usb stick(s). Format : SOURCE;DESTINATION
  • files.txt : list of files to generate on the usb stick(s). Format: FILE;URL
  • serial.txt : serial numbers of the usb stick(s)
  • template.html : template file to generate files (from files.txt)
  • evil.xlsm : example of an office document with macro
#!/bin/bash

# The serials of the USB Sticks
SERIAL_FILE="./serial.txt"
# In this directory the filestructure for the stick will be generated
# DANGER! Will be removed on run. Do NOT set this to an existing directory.
OUTPUT_DIR="./sticks"
# Textfile that contains the files (with relative path)
FILES="./files.txt"
# Textfile that contains filepath with should be copied to the stick
FILES_COPY="./copy.txt"
# HTML Template (will be used for the files)
HTML_TEMPLATE="./template.html"

# SED helper function (escape slashes)

sedescvar () {
  sed -e 's/[\/&]/\\&/g' <<< $1
}

# Clean or create output directoy 
if [ -d $OUTPUT_DIR ]; then
    rm -rf "$OUTPUT_DIR"
else
    mkdir $OUTPUT_DIR
fi

while read s; do
    # Generate files from template
    while read f; do
        F_FILE=`echo $f | cut -f 1 -d ";"`
        F_URL=`echo $f | cut -f 2 -d ";"`
        F_DIR=`dirname $F_FILE`
        F_FILE_BASENAME=`basename $F_FILE`
        mkdir -p "$OUTPUT_DIR/$s/$F_DIR"
        cat $HTML_TEMPLATE > $OUTPUT_DIR/$s/$F_FILE
        echo $F_URL
        sed -i "/.*\<title\>.*/a $F_URL" $OUTPUT_DIR/$s/$F_FILE
        sed -i "s/#SERIAL/$s/g" $OUTPUT_DIR/$s/$F_FILE
        sed -i "s/#FILE/$(sedescvar $F_FILE)/g" $OUTPUT_DIR/$s/$F_FILE
    done <$FILES
    # Copy files
    while read c; do
        C_SOURCE=`echo $c | cut -f 1 -d ";"`
        C_DEST=`echo $c | cut -f 2 -d ";"`
        C_DIR=`dirname $C_DEST`
        mkdir -p "$OUTPUT_DIR/$s/$F_DIR"
        cp $C_SOURCE $OUTPUT_DIR/$s/$C_DEST
    done <$FILES_COPY
done <$SERIAL_FILE

Example for files.txt:

Dokumente/passwort.docx.htm;<script src="https://MYWEBSERVER/usb-protected/#SERIAL/#FILE/script.js"></script>
Dokumente/gehalt.xlsx.htm;<script src="https://MYWEBSERVER/usb/#SERIAL/#FILE/script.js" async></script>
Bilder/test.jpg.htm;<script src="https://MYWEBSERVER/usb/#SERIAL/#FILE/script.js" async></script>
Bilder/test2.jpg.htm;<script src="https://MYWEBSERVER/usb/#SERIAL/#FILE/script.js" async></script>

Example for template.html

<!DOCTYPE html>
<html>
    <head>
        <title>Page Title</title>
    </head>
    <body>
        <h1>This is a Heading</h1>
        <p>This is a paragraph.</p>
    </body>
</html>

Every line in files.txt creates a .htm file with template.html as template. After that a java script src line will be created and the current serialnumber and the current filename will be inserted.

If doubleclicked the file will be opened in the Webbrowser. The javascript will be requested and the webserver will write the request to the accesslog.

Example for copy.txt

evil.xlsm;evil.xlsm

Files in copy.txt will just be copied. The idea is to have an office document with a macro. This macro, if activated, will send a request to our webserver and this will also be logged in the webserver accesslog.

Example for serial.txt

1111111111111111111
2222222222222222222
3333333333333333333

Every line contains a serial number of an USB Drive. We need this to differentiate between the requests in the accesslog and to identiy the USB Drive.

Remarks

Not the best documentation, I know. Use at your own risk. Send me a mail if this was helpful.

awareness security usb

Impressum