Device Instance Path
VCP / serial:
USB\VID_0483&PID_5740
DFU:
USB\VID_0483&PID_DF11
Important: in BadUSB mode the Flipper Zero DEFAULTS to spoofing a Logitech keyboard, so 0483:5740 will NOT appear during a BadUSB attack. The spoofed identity is:
USB\VID_046D&PID_C529
VendorID
0483
STMicroelectronics (reused; the Flipper uses an STM32, so this VID is not Flipper-specific).
ProductID
VCP / serial:
5740
DFU:
DF11
BadUSB default (spoofed via Logitech VID 046D):
C529
Class
CDC Serial / HID (BadUSB) / Composite
Author
@enesilhaydin
Sigma Rules
title: Flipper Zero USB Device Connected
id: e3162e1f-82c8-411c-9b8d-f4b835b94a75
status: experimental
description: Detects a Flipper Zero by its default USB VID/PID. These identifiers can be spoofed, so treat this as an indicator.
references:
- https://lothardware.com.tr/flipper-zero/
author: '@enesilhaydin'
date: 2026/06/22
logsource:
product: windows
service: security
detection:
selection:
EventID: 6416
DeviceId|contains: 'VID_0483&PID_5740'
selection_badusb:
EventID: 6416
DeviceId|contains: 'VID_046D&PID_C529'
condition: selection or selection_badusb
falsepositives:
- Unrelated hardware sharing the same controller VID/PID
level: medium
tags:
- attack.initial_access
- attack.t1200
Requires Windows Audit PNP Activity (Security Event 6416).
Links
1- https://flipperzero.one/
2- https://blog.grumpygoose.io/hunting-flipper-zero-db260274c45c