Be KVM, Do Fraud
Hi Everyone! It's me, your friendly Wav3. In a continuation of Grumpy Goose Labs coverage of KVM over IP Devices in our posts Hold Me Closer, TinyPilot and Unemployfuscation by the Greatest of Gooses Jim and myself. Today, we're working through some of the devices we've researched in relation to DPRK and Fraud IT Workers. While I cannot confirm nor deny the usage of these devices by DPRK specifically, I will meme it up like crazy for my boy Kim “Bussin Burgers” Jong Un.
As we've stated in our previous posts, there are a few items to consider when trying to detect malicious USB/HDMI/DisplayPort related devices. This post will be more focused to those that if you know, you know.
Lets break down our objectives that we've laid out previously. We know that KVM over IP Devices typically require the following connections:
- USB
- HDMI
- USB to HDMI
Also knowing that some of the devices are capable of both Line-In and Line-Out audio (Speaker and Microphone), there's a hook there we can leverage. HDMI connections are typically pretty interesting to look at, especially when most of these KVM over IP Device open source projects rely on 99% vibe coding.
We've already covered USB devices mostly, and now understanding all these HDMI related items, we can ask the following questions:
- What monitor are they using? Is Chet from Accounting on Team Liquid and using a 260hz refresh rate gaming monitor?
- What resolution are the monitors running at? Is Chet from Accounting using his gaming monitor at only 1080p for those quick flicks?
- What refresh rate is the monitor capable of and what is it currently running at? Is the 260hz capable ultra gaming monitor running at 30hz refresh rate?
- Is this monitor capable of audio? If it is, is it the only audio line-out source?
- What microphone is the workstation using?
So I assume because all these EDR tools have focused so hard on shoving as much AI in their products as possible, they have ignored gathering telemetry relating to HDMI/Display and Audio devices. SHAME.
So now you have to manually run scripts on each of your endpoints to gather data points such as:
- HDMI Connections
- Display Configurations
- Audio Devices
- Surrounding WIFI BSSID's
- Recent WIFI Connections
- Saved WIFI Profiles
BUT AI IS GREAT AND MADE MOST OF THESE PICTURES.
I would provide what I have, but then I'd expose my vibe coding and hatred of the worst ever thing ever conceived, powershell… There are also a number of ways to achieve this, but I don't want to turn this into a Security Architecture discussion. I'll just say that powershell will be 1000's of characters worth of script and macOS/Linux will be barely 100.
Let's just jump into the fun stuff:
Updated CrowdStrike Query to hunt for KVM Over IP Devices using my previous ConfigurationDescriptorName method. Maybe get fancy and add ConfigurationDescriptorNumInterfaces, ConfigurationDescriptorMaxPowerDraw, DeviceInstanceId…..
#event_simpleName = "DcUsbConfigurationDescriptor" OR #event_simpleName = "DcUsbHIDDescriptor" OR #event_simpleName = /DcUsb/i"
| join({#event_simpleName = "DcUsbConfigurationDescriptor" (ConfigurationDescriptorName=/Config [0-9]: */i OR ConfigurationDescriptorName=/licheervnano/i OR ConfigurationDescriptorName=/NanoKVM/i OR ConfigurationDescriptorName=/Glinet/i}, field=DeviceDescriptorSetHash, key=DeviceDescriptorSetHash)
| (#event_simpleName = /DcUsb/i OR #event_simpleName = "DcUsbConfigurationDescriptor")
| groupby(field=[ComputerName, DeviceDescriptorSetHash], function=[collect([ComputerName, aid, ConfigurationDescriptorName, DeviceManufacturer, DeviceProduct, DeviceSerialNumber, DevicePropertyDeviceDescription, #event_simpleName]), selectLast([@timestamp])])
| table([@timestamp, ComputerName, aid, ConfigurationDescriptorName, DeviceManufacturer, DeviceProduct, DeviceSerialNumber, DevicePropertyDeviceDescription, DeviceDescriptorSetHash, #event_simpleName])
We've been busy obtaining indicators for KVM over IP devices for the following:
- Audio Device
- USB Display
- Display Resolution
- Display Refresh Rate
So here's a dump of the following KVM over IP devices that we've reviewed (there are more that are not listed here, but good luck):
- PiKVM
- TinyPilot
- BliKVM (hot garbage award)
- Openterface (not technically over IP, also hot garbage)
- NanoKVM
- JetKVM
This will only cover default settings that the user can toggle in the settings menu's. This information is from the latest device firmware (as of NOV 2025).
KVM Over IP Indicators
PiKVM
Observed OUI:
28:CD:C1
2C:CF:67
88:A2:9E
8C:1F:64:34:A
D8:3A:DD
DC:A6:32
E4:5F:01
F0:40:AF:9
DEFAULT #1
ConfigurationDescriptorName: Config 1: PiKVM
DeviceManufacturer: PiKVM
DeviceProduct: Composite KVM Device
DeviceSerialNumber: CAFEBABE
DevicePropertyDeviceDescription: USB Composite Device
ConfigurationDescriptorMaxPowerDraw: 125
ConfigurationDescriptorNumInterfaces: 3
DeviceInstanceId: USB\VID_1D68&PID_0104\CAFEBABE
DEFAULT #2
ConfigurationDescriptorName:
DeviceManufacturer: PiKVM
DeviceProduct: PiKVM Composite Device
DeviceSerialNumber: CAFEBABE
DevicePropertyDeviceDescription: USB Composite Device
ConfigurationDescriptorMaxPowerDraw:
ConfigurationDescriptorNumInterfaces:
DeviceInstanceId: USB\VID_1D68&PID_0104\CAFEBABE
TinyPilot Voyager 2A
Observed OUI: D8:3A:DD
DEFAULT
ConfigurationDescriptorName: Config 1: ECM network
DeviceManufacturer: tinypilot
DeviceProduct: Multifunction USB Device
DeviceSerialNumber: 6b65796d696d6570690
DevicePropertyDeviceDescription: USB Composite Device
ConfigurationDescriptorMaxPowerDraw: 125
ConfigurationDescriptorNumInterfaces: 2
ConfigurationDescriptorNumInterfaces (w/CDROM): 2
DeviceInstanceId: USB\VID_1D6B&PID_0104\6b65796d696d6570690
HDMI Default EDID - Toshiba
InstanceName: DISPLAY\TSB9876
ManufacturerName: TSB
SerialNumberID: 2290649088
UserFriendlyName: TinyPilot
WeekOfManufacture: 45
YearOfManufacturer: 2020
VideoModeDescription: 1920 x 1080
CurrentRefreshRate: 30
Audio Devices
TinyPilot (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
Connector (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
GLiNET Comet
Observed OUI: 94:83:C4
DEFAULT
*NOTE v1.3.0
ConfigurationDescriptorName: Config 1: GLKVM device
DeviceManufacturer: GLKVM
DeviceProduct: Composite KVM Device
DeviceSerialNumber: CAFEBABE
DevicePropertyDeviceDescription: USB Composite Device
ConfigurationDescriptorMaxPowerDraw: 125
ConfigurationDescriptorNumInterfaces: 4
DeviceInstanceId: USB\VID_1D6B&PID_0104\CAFEBABE
*NOTE v1.5.0
ConfigurationDescriptorName: Glinet device
DeviceManufacturer: Glinet
DeviceProduct: Composite KVM Device
DeviceSerialNumber: CAFEBABE
DevicePropertyDeviceDescription: USB Composite Device
ConfigurationDescriptorMaxPowerDraw: 125
ConfigurationDescriptorNumInterfaces: 5
ConfigurationDescriptorNumInterfaces (enabling microphone/speakers): 7
DeviceInstanceId: USB\VID_1D6B&PID_0104\CAFEBABE
HDMI Default EDID - GLiNet
InstanceName: DISPLAY\GLIC21C
ManufacturerName: GLI
SerialNumberID: 891247
UserFriendlyName: GLIKVM
WeekOfManufacture: 8
YearOfManufacturer: 2021
VideoModeDescription: 2560 x 1440
CurrentRefreshRate: 59
Audio Devices
GLKVM (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
Microphone (Source/Sink)) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
Builtin Obfuscation #1 - 1080P ASUS + Logitech Inc Keyboard
*NOTE v1.5.0
ConfigurationDescriptorName: Glinet device
DeviceManufacturer: Logitech Inc
DeviceProduct: Logitech, Inc. Unifying Receiver
DeviceSerialNumber: CAFEBABE
DevicePropertyDeviceDescription: USB Composite Device
ConfigurationDescriptorMaxPowerDraw: 125
ConfigurationDescriptorNumInterfaces: 7
DeviceInstanceId: USB\VID_046D&PID_C526\CAFEBABE
HDMI ASUS EDID -
InstanceName: DISPLAY\AUS24B2
ManufacturerName: AUS
SerialNumberID: L8LMQS075392
UserFriendlyName: ROG PG248Q
WeekOfManufacture: 33
YearOfManufacturer: 2020
VideoModeDescription: 1920 x 1080
CurrentRefreshRate: 60
Audio Devices
ROG PG248Q (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
Microphone (Source/Sink)) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
Builtin Obfuscation #2 - 2k ViewSonic + Corsair Gaming RGB
*NOTE v1.5.0
ConfigurationDescriptorName: Glinet device
DeviceManufacturer: Corsair
DeviceProduct: Corsair Gaming RGB
DeviceSerialNumber: CAFEBABE
DevicePropertyDeviceDescription: USB Composite Device
ConfigurationDescriptorMaxPowerDraw: 125
ConfigurationDescriptorNumInterfaces: 7
DeviceInstanceId: USB\VID_6940&PID_6973\CAFEBABE
HDMI ViewSonic EDID -
InstanceName: DISPLAY\VSC2F34
ManufacturerName: VSC
SerialNumberID: UYL203620714
UserFriendlyName: VX2478-2
WeekOfManufacture: 36
YearOfManufacturer: 2020
VideoModeDescription: 2560 x 1440
CurrentRefreshRate: 59
Audio Devices
VX2478-2 (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
Microphone (Source/Sink)) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
Builtin Obfuscation #3 - 4K GLIKVM + DELL Keyboard
*NOTE v1.5.0
ConfigurationDescriptorName: Glinet device
DeviceManufacturer: Dell Inc
DeviceProduct: Dell Computer Corp. Multimedia Pro Keyboard
DeviceSerialNumber: CAFEBABE
DevicePropertyDeviceDescription: USB Composite Device
ConfigurationDescriptorMaxPowerDraw: 125
ConfigurationDescriptorNumInterfaces: 7
DeviceInstanceId: USB\VID_413C&PID_2011\CAFEBABE
HDMI ViewSonic EDID -
InstanceName: DISPLAY\LTM3132
ManufacturerName: LTM
SerialNumberID: 2290649088
UserFriendlyName: Lontium semi
WeekOfManufacture: 32
YearOfManufacturer: 2020
VideoModeDescription: 3840 x 2160
CurrentRefreshRate: 30
Audio Devices
Lontium semi (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
Microphone (Source/Sink)) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
Builtin Obfuscation #4 - Microsoft Wireless Keyboard ONLY
*NOTE v1.5.0
ConfigurationDescriptorName: Glinet device
DeviceManufacturer: Microsoft Corporation
DeviceProduct: Microsoft Corporation Wireless Multimedia Keyboard
DeviceSerialNumber: CAFEBABE
DevicePropertyDeviceDescription: USB Composite Device
ConfigurationDescriptorMaxPowerDraw: 125
ConfigurationDescriptorNumInterfaces: 7
DeviceInstanceId: USB\VID_045E&PID_005F\CAFEBABE
JetKVM - APP 0.4.8 System 0.2.5
Observed OUI: 80:34:28
DEFAULT
ConfigurationDescriptorName: Config 1: HID
DeviceManufacturer: JetKVM
DeviceProduct: JetKVM USB Emulation Device
DeviceSerialNumber:
DevicePropertyDeviceDescription: USB Composite Device
ConfigurationDescriptorMaxPowerDraw: 125
ConfigurationDescriptorNumInterfaces: 4
DeviceInstanceId: USB\VID_1D6B&PID_0104\CAFEBABE
HDMI Default EDID
InstanceName: DISPLAY\TSB8801
ManufacturerName: TSB
SerialNumberID: 2290649088
UserFriendlyName: T749-fHD720
WeekOfManufacture: 28
YearOfManufacturer: 2011
VideoModeDescription: 1920 x 1080
CurrentRefreshRate: 60
Audio Devices
T749-fHD720 (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
HDMI Default EDID Obfuscation 1: Acer B246WL, 1920x1200
InstanceName: DISPLAY\ACR0565
ManufacturerName: ACR
SerialNumberID: T8NEE0038522
UserFriendlyName: B246WL
WeekOfManufacture: 16
YearOfManufacturer: 2020
VideoModeDescription: 1920 x 1080
CurrentRefreshRate: 60
Audio Devices
NONE OBSERVED
HDMI Default EDID Obfuscation 2: ASUS PA248QV 1920x1200
InstanceName: DISPLAY\AUS2487
ManufacturerName: AUS
SerialNumberID: M1LMQS052157
UserFriendlyName: PA248QV
WeekOfManufacture: 2
YearOfManufacturer: 2021
VideoModeDescription: 1920 x 1080
CurrentRefreshRate: 60
Audio Devices
PA248QV (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
HDMI Default EDID Obfuscation 3: D2721H, 1920x1080
InstanceName: DISPLAY\DEL2013
ManufacturerName: DEL
SerialNumberID: 3S5GQ23
UserFriendlyName: DELL D2721H
WeekOfManufacture: 32
YearOfManufacturer: 2020
VideoModeDescription: 1920 x 1080
CurrentRefreshRate: 60
Audio Devices
NONE OBSERVED
HDMI Default EDID Obfuscation 4: DELL iDrac EDID 1280x1024
InstanceName: DISPLAY\DEL0001
ManufacturerName: DEL
SerialNumberID: 0000000000000
UserFriendlyName: DELL IDRAC
WeekOfManufacture: 1
YearOfManufacturer: 2007
VideoModeDescription: 1280 x 1024
CurrentRefreshRate: 60
Audio Devices
NONE OBSERVED
NanoKVM - Application v2.2.0 and v2.2.9
Observed OUI: 48:DA:35:60:*
DEFAULT
ConfigurationDescriptorName: NanoKVM
DeviceManufacturer: sipeed
DeviceProduct: NanoKVM
DeviceSerialNumber: 0123456789ABCDEF
DevicePropertyDeviceDescription: USB Composite Device
ConfigurationDescriptorMaxPowerDraw: 60
ConfigurationDescriptorNumInterfaces: 6
DeviceInstanceId: USB\VID_3346&PID_1009\0123456789ABCDEF
HDMI Default EDID
InstanceName: DISPLAY\VCS1145
ManufacturerName: VCS
SerialNumberID: 4527409
UserFriendlyName: Connector
WeekOfManufacture: 0
YearOfManufacturer: 2021
VideoModeDescription: 1920 x 1080
CurrentRefreshRate: 60
Audio Devices
Connector (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
HID-ONLY Mode (only serial number removed)
ConfigurationDescriptorName: NanoKVM
DeviceManufacturer: sipeed
DeviceProduct: NanoKVM
DeviceSerialNumber:
DevicePropertyDeviceDescription: USB Composite Device
ConfigurationDescriptorMaxPowerDraw: 60
ConfigurationDescriptorNumInterfaces: 6
DeviceInstanceId: USB\VID_3346&PID_1009\0123456789ABCDEF
Openterface
Observed OUI: N/A
DEFAULT
ConfigurationDescriptorName:
DeviceManufacturer: WWW.WCH.CN
DeviceProduct: WCH UART TO KB-MS_V1.8
DeviceSerialNumber: 2019B152ED98
DevicePropertyDeviceDescription: USB Composite Device
ConfigurationDescriptorMaxPowerDraw: 50
ConfigurationDescriptorNumInterfaces: 4
DeviceInstanceId: USB\VID_1A86&PID_E329\2019B152ED98
HDMI Default EDID -
InstanceName: DISPLAY\HJW0001
ManufacturerName: HJW
SerialNumberID: 1
UserFriendlyName: HD TO USB
WeekOfManufacture: 1
YearOfManufacturer: 2019
VideoModeDescription: 1920 x 1080
CurrentRefreshRate: 60
Audio Devices
HD TO USB (#- HD Audio Driver for Display Audio) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}.*
BliKVM - v2.2.1-alpha
Observed OUI: 12:00:0f:*
DEFAULT
ConfigurationDescriptorName: Config 1: ECM network
DeviceManufacturer: BliKVM
DeviceProduct: Multifunction
DeviceSerialNumber: 6b65796d696d6570690
DevicePropertyDeviceDescription: USB Composite Device
ConfigurationDescriptorMaxPowerDraw: 125
ConfigurationDescriptorNumInterfaces: 4
DeviceInstanceId: USB\VID_1D6B&PID_0106\6b65796d696d6570690
HDMI Default EDID
InstanceName: DISPLAY\HJW0001
ManufacturerName: HJW
SerialNumberID: 1
UserFriendlyName: HDMI TO USB
WeekOfManufacture: 1
YearOfManufacturer: 2019
VideoModeDescription: 1920 x 1080
CurrentRefreshRate: 60
Using the above, you can hunt for devices to your hearts desire, make educated correlations and contribute data points to risk analytics, etc. Interesting points to note, any device that allows for a Microphone will mount a “Microphone (Source/Sink)) DeviceID = SWD\MMDEVAPI\{0.0.0.00000000}” device and a Audio Device associated to obfuscated Display EDID.
Focusing on Network Neighbors on the endpoints local LAN. Please understand that some of these OUI's might also manufacture Travel Routers, etc. Brain is required when reviewing the output of this hunt query below. Also credit to Jim:
#repo=base_sensor #event_simpleName=NeighborListIP4 ComputerName=*
"28-CD-C1" OR "2c-CF-67" OR "3A-35-41" OR "B8-27-EB" OR "D8-3A-DD" OR "DC-A6-32" OR "E4-5F-01" OR "80-34-28" OR "94-83-C4" OR "48-DA-35"
| in(name, values=[NeighborListIP4V2, NeighborListIP4MacV1])
| name match { "NeighborListIP4MacV1" => replace("([^|]|[^|]|[^|])|?", with="$1;", field=NeighborList); * => NeighborList := NeighborList;}
| NeighborListSplit := splitString(NeighborList, by=";")
| split(NeighborListSplit)
| NeighborListSplit != ""
| NeighborList := splitString(NeighborListSplit, by="|")
| neighbor_mac := NeighborList[0]
| neighbor_localAddressIp4 := NeighborList[1] | router := NeighborList[2]
| neighborName := NeighborList[3]
| in(field="neighbor_mac", values=["28-CD-C1", "2c-CF-67*", "3A-35-41*", "B8-27-EB*", "D8-3A-DD*", "DC-A6-32*", "E4-5F-01*", "80-34-28*", "94-83-C4*", "48-DA-35"])
| groupBy([ComputerName, neighbor_localAddressIp4], function=([collect([neighbor_mac, neighbor_localAddressIp4]), count(neighbor_mac, distinct=true, as=distinct_mac_count)]))
| sort(distinct_mac_count, limit=20000)
Please note this is not inclusive of all OUI's listed in my data dump further up. Go nuts and add them in if you'd like.
Now wasn't that terrifying? Susan from HR went to a WeWork location with 50 raspberry pi's on the LAN and Chuck from Operations has 4 GLiNET devices for some reason and his surrounding SSID's look funny?
Well like before, I love you peoples. Please don't mess around with these on your work laptops. No matter what the youtuber's say…
게이가 되어 범죄를 저지르세요