Social Engineering : USB Key Campaigns

USB Key Campaigns

USB key dropping is a social engineering tactic that can be used to obtain sensitive information or remote access to a human target’s computer. A social engineer or penetration tester may want to leverage USB key drops to raise security awareness, ensure adherence to security procedures, and improve defense strategies within an organization.
Typically, the attacker places a malicious file or executable onto the USB key and drops the key off in a high traffic area like the breakroom. If someone finds the key and installs the device on their system, the malicious file will run if the autorun feature is implemented or it will run when the person clicks on the executable file. When the file runs, it delivers a payload that could potentially open a backdoor on the human target’s machine. If a session successfully opens on a victim’s machine, an attacker can take control of it to attack other machines on the network, capture data, and escalate privileges.
To create a USB key drop, you need to set up a portable file campaign that contains an executable.