chelmzy.tech

Detecting Spoofed IPKVMs

Intro

The DPRK and over-employment enjoyers have made extensive use of IPKVMs to juggle access to multiple employers' networks while collecting a comfortable upper-middle-class salary. I have no qualms with the latter's behavior (as long as the work is being completed), but the use of an IPKVM starts to make the latter look like the former. There have been a few excellent posts 1 on detecting these devices on your network by searching for specific device names, serials, vendor IDs, and other identifiers. However, since all of these can be spoofed and often are 2, I figured there must still be reliable methods for detection. That method is to leverage USB Device Classes.

Detection

USB device classes are used to identify the function of a USB device. You can find a list of USB device classes in the official USB specification 3. In order to hunt for IPKVMs, I have found that searching for USB devices that use codes 00h (base), 01h (audio), and 08h (mass storage) works very well. This combination has turned out to be relatively rare in the environment I am working in, but definitely needs more testing in other environments. So far this approach has successfully found actual spoofed GL-iNet, PiKVM, and JetKVM devices.

You will need to generate a report of all devices that use both of these device classes and investigate each result. You will likely encounter a number of legitimate devices, but after review and whitelisting this becomes a very high-fidelity detection. I highly suggest scrutinizing anything with a device name related to keyboards or mice that reports these two device classes. Additionally, some IPKVMs appear to report only as 00h and 08h. Because of this, scrutinizing anything that reports device class 00h AND 08h is a good idea, especially if its device name does not align with mass storage.

Conclusion and Logging

I will warn that this method as only been tested in one environment. I am currently using SentinelOne to retrieve USB device classes via Activities logs. These logs are included in the SentinelOne Splunk TA, which performs an API pull from SentinelOne. I am fairly certain CrowdStrike also reports this information, so check with your EDR vendor. Would love to hear feedback from anyone that tries this hunt out!

  1. https://blog.grumpygoose.io

  2. https://forum.gl-inet.com/t/organizations-detecting-glkvm-devices/61596/12

  3. https://www.usb.org/defined-class-codes