wav3

Thoughts from someone in the Cybersecurity Incident Response frequency on the electromagnetic spectrum

Hi Everyone! It's me, your friendly Wav3.   In a continuation of Grumpy Goose Labs coverage of KVM over IP Devices in our posts Hold Me Closer, TinyPilot and Unemployfuscation by the Greatest of Gooses Jim and myself. Today, we're working through some of the devices we've researched in relation to DPRK and Fraud IT Workers. While I cannot confirm nor deny the usage of these devices by DPRK specifically, I will meme it up like crazy for my boy Kim “Bussin Burgers” Jong Un.

As we've stated in our previous posts, there are a few items to consider when trying to detect malicious USB/HDMI/DisplayPort related devices. This post will be more focused to those that if you know, you know.

Lets break down our objectives that we've laid out previously. We know that KVM over IP Devices typically require the following connections:

  • USB
  • HDMI
  • USB to HDMI

Also knowing that some of the devices are capable of both Line-In and Line-Out audio (Speaker and Microphone), there's a hook there we can leverage. HDMI connections are typically pretty interesting to look at, especially when most of these KVM over IP Device open source projects rely on 99% vibe coding.

We've already covered USB devices mostly, and now understanding all these HDMI related items, we can ask the following questions:

  • What monitor are they using? Is Chet from Accounting on Team Liquid and using a 260hz refresh rate gaming monitor?
  • What resolution are the monitors running at? Is Chet from Accounting using his gaming monitor at only 1080p for those quick flicks?
  • What refresh rate is the monitor capable of and what is it currently running at? Is the 260hz capable ultra gaming monitor running at 30hz refresh rate?
  • Is this monitor capable of audio? If it is, is it the only audio line-out source?
  • What microphone is the workstation using?

So I assume because all these EDR tools have focused so hard on shoving as much AI in their products as possible, they have ignored gathering telemetry relating to HDMI/Display and Audio devices. SHAME.

So now you have to manually run scripts on each of your endpoints to gather data points such as:

  • HDMI Connections
  • Display Configurations
  • Audio Devices
  • Surrounding WIFI BSSID's
  • Recent WIFI Connections
  • Saved WIFI Profiles

BUT AI IS GREAT AND MADE MOST OF THESE PICTURES.

I would provide what I have, but then I'd expose my vibe coding and hatred of the worst ever thing ever conceived, powershell… There are also a number of ways to achieve this, but I don't want to turn this into a Security Architecture discussion. I'll just say that powershell will be 1000's of characters worth of script and macOS/Linux will be barely 100.

Let's just jump into the fun stuff:

Updated CrowdStrike Query to hunt for KVM Over IP Devices using my previous ConfigurationDescriptorName method. Maybe get fancy and add ConfigurationDescriptorNumInterfaces, ConfigurationDescriptorMaxPowerDraw, DeviceInstanceId…..


#event_simpleName = "DcUsbConfigurationDescriptor" OR #event_simpleName = "DcUsbHIDDescriptor" OR #event_simpleName = /DcUsb/i"
| join({#event_simpleName = "DcUsbConfigurationDescriptor" (ConfigurationDescriptorName=/Config [0-9]: */i OR ConfigurationDescriptorName=/licheervnano/i OR ConfigurationDescriptorName=/NanoKVM/i OR ConfigurationDescriptorName=/Glinet/i}, field=DeviceDescriptorSetHash, key=DeviceDescriptorSetHash)
| (#event_simpleName = /DcUsb/i OR #event_simpleName = "DcUsbConfigurationDescriptor")
| groupby(field=[ComputerName, DeviceDescriptorSetHash], function=[collect([ComputerName, aid, ConfigurationDescriptorName, DeviceManufacturer, DeviceProduct, DeviceSerialNumber, DevicePropertyDeviceDescription, #event_simpleName]), selectLast([@timestamp])])
| table([@timestamp, ComputerName, aid, ConfigurationDescriptorName, DeviceManufacturer, DeviceProduct, DeviceSerialNumber, DevicePropertyDeviceDescription, DeviceDescriptorSetHash, #event_simpleName])

We've been busy obtaining indicators for KVM over IP devices for the following:

  • Audio Device
  • USB Display
  • Display Resolution
  • Display Refresh Rate

So here's a dump of the following KVM over IP devices that we've reviewed (there are more that are not listed here, but good luck):

  • PiKVM
  • TinyPilot
  • BliKVM (hot garbage award)
  • Openterface (not technically over IP, also hot garbage)
  • NanoKVM
  • JetKVM

This will only cover default settings that the user can toggle in the settings menu's. This information is from the latest device firmware (as of NOV 2025).

KVM Over IP Indicators

PiKVM

Observed OUI:

        28:CD:C1
        2C:CF:67
        88:A2:9E
        8C:1F:64:34:A
        D8:3A:DD
        DC:A6:32
        E4:5F:01
        F0:40:AF:9

    DEFAULT #1

        ConfigurationDescriptorName: Config 1: PiKVM
        DeviceManufacturer: PiKVM
        DeviceProduct: Composite KVM Device
        DeviceSerialNumber: CAFEBABE
        DevicePropertyDeviceDescription: USB Composite Device
        ConfigurationDescriptorMaxPowerDraw: 125
        ConfigurationDescriptorNumInterfaces: 3

        DeviceInstanceId: USB\VID_1D68&PID_0104\CAFEBABE

    DEFAULT #2

        ConfigurationDescriptorName:
        DeviceManufacturer: PiKVM
        DeviceProduct: PiKVM Composite Device
        DeviceSerialNumber: CAFEBABE
        DevicePropertyDeviceDescription: USB Composite Device
        ConfigurationDescriptorMaxPowerDraw:
        ConfigurationDescriptorNumInterfaces:

        DeviceInstanceId: USB\VID_1D68&PID_0104\CAFEBABE

TinyPilot Voyager 2A

Observed OUI: D8:3A:DD

    DEFAULT

        ConfigurationDescriptorName: Config 1: ECM network
        DeviceManufacturer: tinypilot
        DeviceProduct: Multifunction USB Device
        DeviceSerialNumber: 6b65796d696d6570690
        DevicePropertyDeviceDescription: USB Composite Device
        ConfigurationDescriptorMaxPowerDraw: 125
        ConfigurationDescriptorNumInterfaces: 2
        ConfigurationDescriptorNumInterfaces (w/CDROM): 2

        DeviceInstanceId: USB\VID_1D6B&PID_0104\6b65796d696d6570690

    HDMI Default EDID - Toshiba

        InstanceName: DISPLAY\TSB9876
        ManufacturerName: TSB
        SerialNumberID: 2290649088
        UserFriendlyName: TinyPilot
        WeekOfManufacture: 45
        YearOfManufacturer: 2020

        VideoModeDescription: 1920 x 1080
        CurrentRefreshRate: 30


    Audio Devices

        TinyPilot (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
        Connector (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*


GLiNET Comet

Observed OUI: 94:83:C4

    DEFAULT

            *NOTE v1.3.0

            ConfigurationDescriptorName: Config 1: GLKVM device
            DeviceManufacturer: GLKVM
            DeviceProduct: Composite KVM Device
            DeviceSerialNumber: CAFEBABE
            DevicePropertyDeviceDescription: USB Composite Device
            ConfigurationDescriptorMaxPowerDraw: 125
            ConfigurationDescriptorNumInterfaces: 4

            DeviceInstanceId: USB\VID_1D6B&PID_0104\CAFEBABE


            *NOTE v1.5.0

            ConfigurationDescriptorName: Glinet device
            DeviceManufacturer: Glinet
            DeviceProduct: Composite KVM Device
            DeviceSerialNumber: CAFEBABE
            DevicePropertyDeviceDescription: USB Composite Device
            ConfigurationDescriptorMaxPowerDraw: 125
            ConfigurationDescriptorNumInterfaces: 5
            ConfigurationDescriptorNumInterfaces (enabling microphone/speakers): 7

            DeviceInstanceId: USB\VID_1D6B&PID_0104\CAFEBABE


        HDMI Default EDID - GLiNet

            InstanceName: DISPLAY\GLIC21C
            ManufacturerName: GLI
            SerialNumberID: 891247
            UserFriendlyName: GLIKVM
            WeekOfManufacture: 8
            YearOfManufacturer: 2021

            VideoModeDescription: 2560 x 1440
            CurrentRefreshRate: 59


        Audio Devices

            GLKVM (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
            Microphone (Source/Sink)) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*


    Builtin Obfuscation #1 - 1080P ASUS + Logitech Inc Keyboard

            *NOTE v1.5.0

            ConfigurationDescriptorName: Glinet device
            DeviceManufacturer: Logitech Inc
            DeviceProduct: Logitech, Inc. Unifying Receiver
            DeviceSerialNumber: CAFEBABE
            DevicePropertyDeviceDescription: USB Composite Device
            ConfigurationDescriptorMaxPowerDraw: 125
            ConfigurationDescriptorNumInterfaces: 7

            DeviceInstanceId: USB\VID_046D&PID_C526\CAFEBABE


        HDMI ASUS EDID -

            InstanceName: DISPLAY\AUS24B2
            ManufacturerName: AUS
            SerialNumberID: L8LMQS075392
            UserFriendlyName: ROG PG248Q
            WeekOfManufacture: 33
            YearOfManufacturer: 2020
            VideoModeDescription: 1920 x 1080
            CurrentRefreshRate: 60

        Audio Devices

            ROG PG248Q (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
            Microphone (Source/Sink)) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*


    Builtin Obfuscation #2 - 2k ViewSonic + Corsair Gaming RGB

            *NOTE v1.5.0

            ConfigurationDescriptorName: Glinet device
            DeviceManufacturer: Corsair
            DeviceProduct: Corsair Gaming RGB
            DeviceSerialNumber: CAFEBABE
            DevicePropertyDeviceDescription: USB Composite Device
            ConfigurationDescriptorMaxPowerDraw: 125
            ConfigurationDescriptorNumInterfaces: 7

            DeviceInstanceId: USB\VID_6940&PID_6973\CAFEBABE


        HDMI ViewSonic EDID -

            InstanceName: DISPLAY\VSC2F34
            ManufacturerName: VSC
            SerialNumberID: UYL203620714
            UserFriendlyName: VX2478-2
            WeekOfManufacture: 36
            YearOfManufacturer: 2020
            VideoModeDescription: 2560 x 1440
            CurrentRefreshRate: 59

        Audio Devices

            VX2478-2 (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
            Microphone (Source/Sink)) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*


    Builtin Obfuscation #3 - 4K GLIKVM + DELL Keyboard

            *NOTE v1.5.0

            ConfigurationDescriptorName: Glinet device
            DeviceManufacturer: Dell Inc
            DeviceProduct: Dell Computer Corp. Multimedia Pro Keyboard
            DeviceSerialNumber: CAFEBABE
            DevicePropertyDeviceDescription: USB Composite Device
            ConfigurationDescriptorMaxPowerDraw: 125
            ConfigurationDescriptorNumInterfaces: 7

            DeviceInstanceId: USB\VID_413C&PID_2011\CAFEBABE


        HDMI ViewSonic EDID -

            InstanceName: DISPLAY\LTM3132
            ManufacturerName: LTM
            SerialNumberID: 2290649088
            UserFriendlyName: Lontium semi
            WeekOfManufacture: 32
            YearOfManufacturer: 2020
            VideoModeDescription: 3840 x 2160
            CurrentRefreshRate: 30

        Audio Devices

            Lontium semi (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
            Microphone (Source/Sink)) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*

    Builtin Obfuscation #4 - Microsoft Wireless Keyboard ONLY

            *NOTE v1.5.0

            ConfigurationDescriptorName: Glinet device
            DeviceManufacturer: Microsoft Corporation
            DeviceProduct: Microsoft Corporation Wireless Multimedia Keyboard
            DeviceSerialNumber: CAFEBABE
            DevicePropertyDeviceDescription: USB Composite Device
            ConfigurationDescriptorMaxPowerDraw: 125
            ConfigurationDescriptorNumInterfaces: 7

            DeviceInstanceId: USB\VID_045E&PID_005F\CAFEBABE


JetKVM - APP 0.4.8 System 0.2.5

Observed OUI: 80:34:28

    DEFAULT

            ConfigurationDescriptorName: Config 1: HID
            DeviceManufacturer: JetKVM
            DeviceProduct: JetKVM USB Emulation Device
            DeviceSerialNumber:
            DevicePropertyDeviceDescription: USB Composite Device
            ConfigurationDescriptorMaxPowerDraw: 125
            ConfigurationDescriptorNumInterfaces: 4

            DeviceInstanceId: USB\VID_1D6B&PID_0104\CAFEBABE


        HDMI Default EDID

            InstanceName: DISPLAY\TSB8801
            ManufacturerName: TSB
            SerialNumberID: 2290649088
            UserFriendlyName: T749-fHD720
            WeekOfManufacture: 28
            YearOfManufacturer: 2011

            VideoModeDescription: 1920 x 1080
            CurrentRefreshRate: 60


                Audio Devices

                T749-fHD720 (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*


        HDMI Default EDID Obfuscation 1: Acer B246WL, 1920x1200

            InstanceName: DISPLAY\ACR0565
            ManufacturerName: ACR
            SerialNumberID: T8NEE0038522
            UserFriendlyName: B246WL
            WeekOfManufacture: 16
            YearOfManufacturer: 2020

            VideoModeDescription: 1920 x 1080
            CurrentRefreshRate: 60

                Audio Devices

                NONE OBSERVED

        HDMI Default EDID Obfuscation 2: ASUS PA248QV 1920x1200

            InstanceName: DISPLAY\AUS2487
            ManufacturerName: AUS
            SerialNumberID: M1LMQS052157
            UserFriendlyName: PA248QV
            WeekOfManufacture: 2
            YearOfManufacturer: 2021

            VideoModeDescription: 1920 x 1080
            CurrentRefreshRate: 60

                Audio Devices

                PA248QV (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*


        HDMI Default EDID Obfuscation 3: D2721H, 1920x1080

            InstanceName: DISPLAY\DEL2013
            ManufacturerName: DEL
            SerialNumberID: 3S5GQ23
            UserFriendlyName: DELL D2721H
            WeekOfManufacture: 32
            YearOfManufacturer: 2020

            VideoModeDescription: 1920 x 1080
            CurrentRefreshRate: 60

                Audio Devices

                NONE OBSERVED

        HDMI Default EDID Obfuscation 4: DELL iDrac EDID 1280x1024

            InstanceName: DISPLAY\DEL0001
            ManufacturerName: DEL
            SerialNumberID: 0000000000000
            UserFriendlyName: DELL IDRAC
            WeekOfManufacture: 1
            YearOfManufacturer: 2007

            VideoModeDescription: 1280 x 1024
            CurrentRefreshRate: 60

                Audio Devices

                NONE OBSERVED


NanoKVM - Application v2.2.0 and v2.2.9

Observed OUI: 48:DA:35:60:*

    DEFAULT

            ConfigurationDescriptorName: NanoKVM
            DeviceManufacturer: sipeed
            DeviceProduct: NanoKVM
            DeviceSerialNumber: 0123456789ABCDEF
            DevicePropertyDeviceDescription: USB Composite Device
            ConfigurationDescriptorMaxPowerDraw: 60
            ConfigurationDescriptorNumInterfaces: 6

            DeviceInstanceId: USB\VID_3346&PID_1009\0123456789ABCDEF


        HDMI Default EDID

            InstanceName: DISPLAY\VCS1145
            ManufacturerName: VCS
            SerialNumberID: 4527409
            UserFriendlyName: Connector
            WeekOfManufacture: 0
            YearOfManufacturer: 2021

            VideoModeDescription: 1920 x 1080
            CurrentRefreshRate: 60


                Audio Devices

                Connector (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*

    HID-ONLY Mode (only serial number removed)

            ConfigurationDescriptorName: NanoKVM
            DeviceManufacturer: sipeed
            DeviceProduct: NanoKVM
            DeviceSerialNumber:
            DevicePropertyDeviceDescription: USB Composite Device
            ConfigurationDescriptorMaxPowerDraw: 60
            ConfigurationDescriptorNumInterfaces: 6

            DeviceInstanceId: USB\VID_3346&PID_1009\0123456789ABCDEF


Openterface

Observed OUI: N/A

    DEFAULT

        ConfigurationDescriptorName:
        DeviceManufacturer: WWW.WCH.CN
        DeviceProduct: WCH UART TO KB-MS_V1.8
        DeviceSerialNumber: 2019B152ED98
        DevicePropertyDeviceDescription: USB Composite Device
        ConfigurationDescriptorMaxPowerDraw: 50
        ConfigurationDescriptorNumInterfaces: 4

        DeviceInstanceId: USB\VID_1A86&PID_E329\2019B152ED98

    HDMI Default EDID -

        InstanceName: DISPLAY\HJW0001
        ManufacturerName: HJW
        SerialNumberID: 1
        UserFriendlyName: HD TO USB
        WeekOfManufacture: 1
        YearOfManufacturer: 2019

        VideoModeDescription: 1920 x 1080
        CurrentRefreshRate: 60


    Audio Devices

        HD TO USB (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*


BliKVM - v2.2.1-alpha

Observed OUI: 12:00:0f:*

    DEFAULT

            ConfigurationDescriptorName: Config 1: ECM network
            DeviceManufacturer: BliKVM
            DeviceProduct: Multifunction
            DeviceSerialNumber: 6b65796d696d6570690
            DevicePropertyDeviceDescription: USB Composite Device
            ConfigurationDescriptorMaxPowerDraw: 125
            ConfigurationDescriptorNumInterfaces: 4

            DeviceInstanceId: USB\VID_1D6B&PID_0106\6b65796d696d6570690


        HDMI Default EDID

            InstanceName: DISPLAY\HJW0001
            ManufacturerName: HJW
            SerialNumberID: 1
            UserFriendlyName: HDMI TO USB
            WeekOfManufacture: 1
            YearOfManufacturer: 2019

            VideoModeDescription: 1920 x 1080
            CurrentRefreshRate: 60

Using the above, you can hunt for devices to your hearts desire, make educated correlations and contribute data points to risk analytics, etc. Interesting points to note, any device that allows for a Microphone will mount a “Microphone (Source/Sink)) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}” device and a Audio Device associated to obfuscated Display EDID.

Focusing on Network Neighbors on the endpoints local LAN. Please understand that some of these OUI's might also manufacture Travel Routers, etc. Brain is required when reviewing the output of this hunt query below. Also credit to Jim:


#repo=base_sensor #event_simpleName=NeighborListIP4 ComputerName=*
"28-CD-C1" OR "2c-CF-67" OR "3A-35-41" OR "B8-27-EB" OR "D8-3A-DD" OR "DC-A6-32" OR "E4-5F-01" OR "80-34-28" OR "94-83-C4" OR "48-DA-35"
| in(name, values=[NeighborListIP4V2, NeighborListIP4MacV1])
| name match { "NeighborListIP4MacV1" => replace("([^|]|[^|]|[^|])|?", with="$1;", field=NeighborList); * => NeighborList := NeighborList;}
| NeighborListSplit := splitString(NeighborList, by=";")
| split(NeighborListSplit)
| NeighborListSplit != ""
| NeighborList := splitString(NeighborListSplit, by="|")
| neighbor_mac := NeighborList[0]
| neighbor_localAddressIp4 := NeighborList[1] | router := NeighborList[2]
| neighborName := NeighborList[3]
| in(field="neighbor_mac", values=["28-CD-C1", "2c-CF-67*", "3A-35-41*", "B8-27-EB*", "D8-3A-DD*", "DC-A6-32*", "E4-5F-01*", "80-34-28*", "94-83-C4*", "48-DA-35"])
| groupBy([ComputerName, neighbor_localAddressIp4], function=([collect([neighbor_mac, neighbor_localAddressIp4]), count(neighbor_mac, distinct=true, as=distinct_mac_count)]))
| sort(distinct_mac_count, limit=20000)

Please note this is not inclusive of all OUI's listed in my data dump further up. Go nuts and add them in if you'd like.

Now wasn't that terrifying? Susan from HR went to a WeWork location with 50 raspberry pi's on the LAN and Chuck from Operations has 4 GLiNET devices for some reason and his surrounding SSID's look funny?

Well like before, I love you peoples. Please don't mess around with these on your work laptops. No matter what the youtuber's say…

게이가 되어 범죄를 저지르세요

Unemployfuscation

This is a repost of my original article on https://blog.grumpygoose.io for archiving purposes*

In a continuation of Grumpy Goose Labs coverage of KVM over IP devices by Jim. Today, Blue Teamer, we’re covering detection capabilities of obfuscated PiKVM and TinyPilot devices.

You saw Jim explain how popular these devices are becoming and the existential threat these devices have against organizations that do not permit their usage. Specifically, relying on the end user to have some level of self awareness of Cyber Security best practices both at work and at home. It’s only gotten more popular…

PiKVM Trend Graph on Shodan.io

TinyPilot Trend Graph on Shodan.io

The PiKVM and TinyPilot are remarkable Raspberry Pi-based devices with extensive potential, widely appreciated by digital nomads and technology enthusiasts alike. However, there is a significant concern: North Korean state-sponsored threat actors share a similar enthusiasm for leveraging such technologies. As you can see from Palo Alto Unit 42’s report

“Hardware devices like TinyPilot or PiKVM serve as physical keyboard, video or mouse (KVM) over internet protocol (IP) solutions, allowing operatives to remotely control computers as if they were physically present. These small devices connect directly to a computer’s HDMI and USB ports, capturing video output and relaying user inputs. This hardware-based approach can bypass many software security measures and leave few traces.”

This very much impacts how Blue Teamer’s, Human Resources, and your Marriage respond to the fact that you’re using one. I’ve lost so much sleep due to investigations, relating to unauthorized use of these devices on company workstations, resulting in termination.

Enough doom and gloom…Lets get to the goods, how do you detect Obfuscated TinyPilot/PiKVM devices? In my examples I will keep it rather Endpoint Detection and Response (EDR) vendor focused to CrowdStrike. I’m sorry for hurting those that do not use CrowdStrike or no longer use CrowdStrike as of 19 July 2024.

During my review of USB events associated with the connection of an obfuscated PiKVM or TinyPilot to a workstation, I noted a recurring pattern in the event_simpleName labeled “DcUsbConfigurationDescriptor”.

This descriptor provides detailed information about the device’s capabilities and functionalities, such as power requirements and supported interfaces.

This event included a field named “ConfigurationDescriptorName”, which consistently displayed the following for Raspberry Pi based HID devices:

PiKVM: 
"Config 1: PiKVM device"

TinyPilot:
"Config 1: ECM device"

While the “DcUsbConfigurationDescriptor” event log does not provide an immediate or obvious link to the corresponding USB Connection event, this relationship can be established by leveraging the DeviceDescriptorSetHash and aid fields.

DeviceDescriptorSetHash is a unique identifier generated by hashing specific attributes of a USB device. These attributes typically include the device’s vendor ID, product ID, and serial number. Please know that this hash can be shared across multiple devices if the configuration is the same. It does not imply that it’s the same physical KVM device.

“AID” stands for “Agent ID.” This unique identifier is assigned to each endpoint where the Falcon sensor is installed,

These identifiers allow for effective correlation across the unique “DcUsb*” events that occur during the USB connection and disconnection process. I’m a visual person, so lets look at excessive usage of arrows…

On the left you have the DcUsbConfigurationDescriptor event and on the right you have the DcUsbDeviceConnected event. The device has been obfuscated and any environmental related details REDACTED or randomized (for security purposes). You can observe that the two events tie together well using the AID and DeviceDescriptorSetHash, allowing you to identify if the device is obfuscated or stock. This should adjust your Policy Enforcement Posture hopefully; if all the other indicators and interviews prove to be innocent in nature.

It is worth noting that we’ve seen the “Config 1:*” numeric value change, so in our query you’ll see /Config [0–9]: */i

An example query you can run within CrowdStrike is:

#event_simpleName = "DcUsbConfigurationDescriptor" OR #event_simpleName = "DcUsbHIDDescriptor" OR #event_simpleName = "DcUsbDeviceConnected"
| join({#event_simpleName = "DcUsbConfigurationDescriptor" ConfigurationDescriptorName=/Config [0-9]: */i}, field=DeviceDescriptorSetHash, key=DeviceDescriptorSetHash)
| (#event_simpleName = "DcUsbDeviceConnected" OR #event_simpleName = "DcUsbConfigurationDescriptor") 
| groupby(field=[DeviceDescriptorSetHash], function=[collect([ComputerName, aid, ConfigurationDescriptorName, DeviceManufacturer, DeviceProduct, DeviceSerialNumber, DevicePropertyDeviceDescription, #event_simpleName]), selectLast([@timestamp])])
| table([@timestamp, ComputerName, aid, ConfigurationDescriptorName, DeviceManufacturer, DeviceProduct, DeviceSerialNumber, DevicePropertyDeviceDescription, DeviceDescriptorSetHash,#event_simpleName])

While this is typically high fidelity, you’ll need to use your noodle to ascertain if the device identified is a PiKVM, TinyPilot, or some hacked together maybe Raspberry Pi based HID device.

Another thing to consider, while looking at the raw event log of DcUsbConfigurationDescriptor:

{

  "event_simpleName": "DcUsbConfigurationDescriptor",

  "ConfigurationDescriptorValue": "1",

  "ConfigurationDescriptorAttributes": "128",

  "ConfigStateHash": "1263837413",

  "DeviceDescriptorUniqueIdentifier": "9ecffe5d6eb2255177e1d503abb374f314f384a3378121c81f41e3bf7bf3a343",

  "aip": "REDACTED",

  "ConfigurationDescriptorName": "Config 1: PiKVM device",

  "DeviceTimeStamp": "REDACTED",

  "DeviceDescriptorSetHash": "b3bed53b9e5cefd52a5485d5acb89ce5a3909f1eb0065de0bd8ad5ecf7d33fbd",

  "ConfigBuild": "REDACTED",

  "ConfigurationDescriptorNumInterfaces": "2",

  "event_platform": "Win",

  "ConfigurationDescriptorMaxPowerDraw": "125",

  "Entitlements": "15",

  "name": "DcUsbConfigurationDescriptorV2",

  "EventOrigin": "17",

  "id": "REDACTED",

  "EffectiveTransmissionClass": "2",

  "aid": "de66a33bfceaabf46ba4ddbebefb8beb",

  "timestamp": "REDACTED",

  "cid": "REDACTED"

}

ConfigurationDescriptorNumInterfaces announces how many Interfaces the USB device is supporting:

"ConfigurationDescriptorNumInterfaces": "2",

ConfigurationDescriptorMaxPowerDraw also provides the power draw (in milliamps or “mA”) the device will need.

"ConfigurationDescriptorMaxPowerDraw": "125",

Please note that USB 2.0 specification maximum for a single device is 500 milliamps and USB 3.x devices can request up to 900 milliamps.

Combining these two values with crazy device types that should never have (for example) 5 interfaces or need 250 mA’s… can lead to some unique finds.

Other things to look for could be the HDMI connection itself, you can run the following powershell query (via RTR to the endpoint) to look for this:

Get-CimInstance -Namespace root\wmi -ClassName WmiMonitorID

This should output something similar to:

WmiMonitorID (InstanceName = "DISPLAY\LNX7770\REDACTED")

Specifically we’re looking for “LNX777#.” This being the indicator for a Linux Monitor, which the PiKVM and TinyPilot default to for the HDMI connection.

However.gif, this can be obfuscated and should only be used to validate what parts of the device connection events are or are not obfuscated.

Please don’t use a PiKVM/TinyPilot on your work computer. You will probably get terminated. Just know, I @wav3@infosec.exchange">still love you.

저는 북한의 바비큐보다 남한의 바비큐를 더 좋아합니다.

wav3@infosec.exchange