USB Rubber Ducky Detection Patterns
USB Rubber Ducky detection patterns for blue teams — spotting HID injection with Sigma, USB device control and AppLocker hardening, and MITRE ATT&CK mapping.
USB Rubber Ducky detection cannot rely on blocking USB storage, because the device is not storage — it registers as a HID keyboard and types. Antivirus sees nothing, because there is no malicious file, only keystrokes. The detectable pattern is behavioral: a new keyboard enumerates and, within a second or two, a Run dialog or PowerShell launches and types faster than any human. This guide ships the Sigma rules for that pattern and the layered hardening that blocks the payload even when the keystrokes land.
A Rubber Ducky (or any BadUSB device — Bash Bunny, a malicious cable, a Flipper Zero in BadUSB mode) is a hardware addition: MITRE ATT&CK T1200 — Hardware Additions, with the injected commands mapping to T1059.001 — PowerShell.
What is a USB Rubber Ducky attack?
A USB Rubber Ducky is a keystroke-injection tool shaped like a flash drive. When plugged in, it announces itself to the operating system as a keyboard and “types” a pre-programmed payload at machine speed — opening a Run dialog, launching PowerShell, and executing commands in the few seconds it takes to walk past an unlocked machine. Because the OS trusts keyboards implicitly, there is no permission prompt.
This is why it defeats the obvious controls. Blocking USB storage does nothing to a keyboard. Antivirus has no file to scan. The attack is the typing, so the defense has to model the typing — and what it spawns, the same way command injection detection watches what a process spawns rather than the input string alone.
What does a HID-injection attack look like in telemetry?
| Stage | What happens | Telemetry fingerprint |
|---|---|---|
| Enumeration | Device registers as a HID keyboard | New HID keyboard device event |
| Trigger | Run dialog / terminal opened | explorer.exe → Run, or shell launch |
| Payload | Commands typed at machine speed | Script host/PowerShell within ~1–2s of enumeration |
| Execution | Download/exec, persistence | PowerShell → outbound connection, child processes |
The defining fingerprint is timing and sequence: a keyboard appears and a scripting host runs almost immediately. No human plugs in a keyboard and launches PowerShell in under two seconds.
How to detect USB Rubber Ducky / HID injection
The detection chains a new HID keyboard to the process activity that follows it within seconds.
title: New HID Keyboard Attached Then Rapid Script-Host Launch
id: 2b8f4d61-darkpwn-illustrative
status: experimental
logsource:
product: windows
category: process_creation
detection:
trigger:
ParentImage|endswith: '\explorer.exe'
Image|endswith: ['\powershell.exe','\cmd.exe','\wscript.exe','\mshta.exe']
timeframe: 5s
condition: trigger
falsepositives:
- Power users launching shells from Explorer (correlate with a HID device-add event)
level: medium Correlate that with the device-arrival event for high fidelity — a HID keyboard enumerating (Windows Event ID 6416 / DriverFrameworks-UserMode, or your EDR’s device-add telemetry) seconds before the shell launch.
title: Suspicious Run-Dialog Activity After HID Device Add
id: 9e3a1c75-darkpwn-illustrative
status: experimental
logsource:
product: windows
service: security
detection:
device_add:
EventID: 6416
ClassName: 'Keyboard'
condition: device_add
falsepositives:
- Genuinely new keyboards/KVMs (allowlist known device instance IDs)
level: low How to test your HID-injection detection
On a lab machine you own:
- Use an authorized keystroke-injection device (or a scripted HID emulator) to run a benign payload that just opens a Run dialog and echoes text.
- Confirm the device-add and rapid-script-host rules both fire and correlate.
- Confirm application allowlisting blocks an actual payload (e.g., a script the keystrokes try to run).
- Replay a real human plugging in a keyboard and using PowerShell to confirm the timing window keeps false positives low.
How to prevent HID injection
- Block new HID devices by default on high-value endpoints; allowlist known keyboard instance IDs.
- Auto-lock on idle and enforce short lock timeouts — most Ducky attacks need an unlocked, unattended machine.
- Restrict
mshta,wscript, and unsigned scripts so common payloads fail.
Common HID-injection detection mistakes
- Relying on USB storage blocks. The Ducky is a keyboard; storage policy is irrelevant.
- Expecting antivirus to catch it. There is no file — only keystrokes.
- No device-add telemetry. Without it, you lose the highest-fidelity correlation.
- Ignoring screen-lock policy. The attack usually needs an unattended unlocked session.
USB Rubber Ducky detection checklist
- Collect HID device-add telemetry (Event ID 6416 / EDR device events).
- Deploy the new-keyboard-then-rapid-script-host correlation in the SIEM.
- Allowlist known keyboard/KVM device instance IDs; alert on new HID keyboards.
- Enforce USB device control that blocks new HID devices by default on key endpoints.
- Deploy application allowlisting (AppLocker/WDAC) to block payload execution.
- Use constrained-language PowerShell; disable the Run dialog via GPO.
- Restrict
mshta/wscript/unsigned scripts. - Enforce short auto-lock timeouts; test the detection in a lab.
The takeaway
USB Rubber Ducky detection is behavioral, not signature-based: a HID keyboard enumerates and a script host launches faster than a human could type. Detect that correlation, and layer USB device control with application allowlisting so the payload fails even when the keystrokes succeed. The same HID-injection threat at firmware scale is BadUSB — controls for engineering teams. Continue with Flipper Zero NFC risk and WiFi deauthentication detection, or browse the full Hardware Security pillar.
Training & tools referenced
Disclosure: Some links below are affiliate links. If you buy through them, darkpwn may earn a commission at no extra cost to you. We only recommend training and tools we actually use in our own lab, and affiliate links never influence editorial coverage.
- TryHackMeAuthorized labs to practice HID-injection detection and endpoint hardeningSecurity TrainingStart training
Frequently asked questions
How do you detect a USB Rubber Ducky?
A Rubber Ducky registers as a HID keyboard, so you cannot block it by USB mass-storage policy. Detect the behavior instead: a new HID keyboard device enumerating immediately followed by rapid scripted input — a Run dialog, PowerShell, or a command shell launching within seconds of the device attaching, faster than a human types.
Why can't antivirus stop a USB Rubber Ducky?
The Ducky injects keystrokes; it runs no file of its own, so there is nothing for signature-based antivirus to scan. The payload is whatever the typed commands do. Detection must focus on the input behavior and the processes the keystrokes spawn, not on a malicious file.
How do you prevent HID injection attacks?
Layer controls: USB device control that allowlists approved HID devices, application allowlisting (AppLocker/WDAC) to block the payloads keystrokes try to run, disabling the Run dialog and constrained-language PowerShell via policy, and screen-lock discipline so an unattended unlocked machine is not available.
What MITRE ATT&CK techniques map to a USB Rubber Ducky?
The device itself maps to T1200 (Hardware Additions); the keystroke-injected commands typically map to T1059.001 (PowerShell) or other Command and Scripting Interpreter sub-techniques depending on the payload.