Limitations
Take into consideration that VendorID and ProductID can be spoofed natively by the Rubber Ducky.
The following IDs are the default ones.
Device Instance Path
Using ATTACKMODE HID:
HID\VID_03EB&PID_2401&REV_0100
Using ATTACKMODE HID STORAGE:
HID\VID_03EB&PID_2422&REV_0100
VendorID
03EB
Atmel Corp.
ProductID
Using ATTACKMODE HID:
2401
Using ATTACKMODE HID STORAGE:
2422
Alternate firmware:
2403
DFU bootloader:
2FF6
Note: the 2022 USB-C Rubber Ducky model uses a closed firmware with no public teardown, so its chipset and default ID are unknown.
Class
HID (or HID + Mass Storage)
Author
@enesilhaydin
@_ezlucky_
Sigma Rules
title: Hak5 Rubber Ducky USB Device Connected
id: 3ee76c5b-08e1-466a-be7b-d1e94ffcb617
status: experimental
description: Detects a Hak5 Rubber Ducky by its default USB VID/PID. These identifiers can be spoofed, so treat this as an indicator.
references:
- https://lothardware.com.tr/hak5-rubber-ducky/
author: '@enesilhaydin'
date: 2026/06/22
logsource:
product: windows
service: security
detection:
selection:
EventID: 6416
DeviceId|contains: 'VID_03EB&PID_2401'
condition: selection
falsepositives:
- Unrelated hardware sharing the same controller VID/PID
level: medium
tags:
- attack.initial_access
- attack.t1200
Requires Windows Audit PNP Activity (Security Event 6416).