[New WTFBin]: Windows USB Link-local IP addresses (169.254.0.0/16) on the host PC

knightwolfjk commented 2 years ago

Contributor Name: @RoboDoughnut
Application/Executable: Windows 10 (and other Windows flavors)
WTF Behavior Description: (h/t to @purp1ew0lf, his NDCC submission was inspiring)
- gives a [...] device connected to a host PC over USB a link-local IP address (169.254.0.0/16) on the host PC.
- If multiple [...] devices are connected to the same host PC they are all given unique link-local IP addresses.
- This allows one host PC to simultaneously communicate with any number of USB-connected [...] devices.
Link to Documentation of Behavior: USB NCM on Factory OS

mttaggart commented 2 years ago

@knightwolfjk, thank you so much for the submission! This is really interesting.

Beyond the Microsoft documentation, can you explain a little more about how this looks on the system, and why it appears malicious?

mttaggart commented 2 years ago

@knightwolfjk,

I'm closing this for now because I need additional details as to how it would appear to be malicious during threat hunting or incident response.

mttaggart / wtfbins