0

My partner recently got given work laptop and if you try and put in a USB mass storage device you get an error saying it is not allowed. Without having administrator access I assume this is via the group policy All Removable Storage Classes - Deny All Access.

This got me thinking about how to bypass this. Just to clarify, neither of us are interested in bypassing it on the specific work laptop, this is just me thinking about techniques to bypass the GPO in general as an academic exercise. I know there are other methods to transfer files to/from a system that uses this policy, so the question is not about how to transfer files in general, it is specifically about defeating this particular group policy.

My understanding is that the Windows USB host controller constantly scans USB ports to see if something is plugged in. When this happens it passes a request to the device driver to scan the bus and sends a request to the device to identify itself. The USB device has some sort of information about itself (vendor ID, product ID, version, device type, maybe some other things?) that it passes on to the device driver thereby identifying itself as a mass storage device, HID, printer etc.

So the GPO looks for a device which declares itself as a mass storage device and says "you can't access this". Using the work laptop as a case study, you can still plug in webcams, HID devices or a phone (to charge but not as a mass storage device).

This got me thinking:

  • is there a way to alter how a device declares itself to the operating system (and how)?
  • if so, is there a way to leverage some sort of protocol to then talk to it to allow the transfer of files (and what protocols/how)?

Or am I overthinking this and there is a much simpler approach I am overlooking?

EDIT: Just to clarify the last point about alternate approaches - I am looking for possible alternate ideas with regards to using a USB device. Privesc techniques, setting up a simple http server etc are outside the scope of what I'm after.

Improve this question

2 Answers 2

Reset to default
1

is there a way to alter how a device declares itself to the operating system (and how)?

Yes, the storage device may say it's a printer, and Windows will talk to it as if it is a printer. This usually is accomplished by a specially crafted firmware (search for BadUSB, for instance).

if so, is there a way to leverage some sort of protocol to then talk to it to allow the transfer of files (and what protocols/how)?

Unless your device is a printer, it won't work because Windows will treat it as printer, not as an USB drive. You could print the file, and OCR it afterwards. Or you can create a microcontroller that identifies itself as a keyboard, and write a script that reads the files and encodes it in changes the keyboard LEDs (NumLock, CapsLock and Scroll Lock).

Or am I overthinking this and there is a much simpler approach I am overlooking?

You can gain admin privileges and remove the restriction. There are several local privilege escalation attacks on Windows. Keep in mind that this is considered bypassing endpoint protection and can lead to employment termination in some companies.

Improve this answer
2
  • Can you elaborate on the part about writing a script that changes the keyboard LEDs? I'm not really sure what you are getting at. Also in regards to the last part of your post, I've just clarified the question a bit because that wasn't exactly what I was after.
    – user2334659
    Commented Oct 27, 2023 at 1:34
  • Search for "data exfiltration keyboard led" and you can find a couple examples.
    – ThoriumBR
    Commented Oct 27, 2023 at 11:03
1

Changing how a USB device identifies itself is easy, at least with microcontroller-based devices (you may have noticed that phones often have multiple options, such as charge only, mass storage, MTP, and modem; they do this by changing how they identify themselves). However, the OS will attach drivers specific to that particular (claimed) identity. If the device is spoofing its identity, it either needs to implement the protocol of the claimed device, or the driver will report an error.

Even if the driver connects successfully though, it won't be a driver for storage, it'll be a driver for a webcam or keyboard or whatever. The OS won't interact with it as a storage device, because in order to do that it would need to attach a storage driver, and it won't do that unless the device identifies itself as a storage device, and if it did then the policy would prohibit the OS from using it.

There are, of course, other ways to transfer data than via protocols explicitly intended for storage. A device claiming to be a combo printer/scanner could send files to the OS as scanned images, and receive them as printouts; in both cases the user would have to run software (scanner software, or a program that can print whatever file you want to transfer) that tells the OS to interact with the device, though; you couldn't just use Windows Explorer or other file browsers. However, on the device side, you could have firmware (running on the device's microcontroller) that e.g. automatically saves "printouts" as files on the storage that the device does, in fact, have.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .