Despite working in I.T. for many years, it was not until a few days ago that I learned you can modify the AM and PM symbols (text) displayed after the time in the Windows taskbar. Instantly I started thinking about ways to have fun with my co-workers using this new-found nugget of knowledge. Knowing that I would not have much time to execute the prank I reached into my desk drawer of mischief and grabbed one of my USB Rubber Ducks (https://shop.hak5.org/products/usb-rubber-ducky-deluxe).
The Ducky, when plugged into a computer gets recognized as a standard HID (Human Interface Device) keyboard, and automatically starts typing out its preconfigured payload at a blazing 1000 words-per-minute. Basically, any task that you can complete in 15 minutes using a keyboard can be completed in just a few seconds with the Ducky. The speed and simplicity of the Ducky made it the ideal means to carry out this prank.
Before I started running around causing havoc, I needed to work out the finer details. The first step was to find where the registry keys that I wanted to change were located. To accomplish this, I manually changed the AM/PM setting to something that I could easily search the systems registry for, such as “HereItIs”. This setting is found in the Control Panel’s “Clock and Region” setting.
From there I needed to click “Change data, time or number formats”,
then “Additional Settings…” and finally “Time”. From this tab, I changed both the AM and PM symbol setting to be my search text of “HereItIs”.
From this tab, I changed both the AM and PM symbol setting to be my search text of “HereItIs”.
With my search text now applied, I opened the Windows Registry and search for it. This led me to find the two keys (“s1159” for the AM setting and “s2359” for the PM) in HKEY_CURRENT_USER\Control Panel\International. A new search for “s1159” & “s2359” showed that I could also apply these changes system-wide, however that would require admin privileges and I was only interested in messing with the current logged on user.
Next was the task of scripting out the changes that I wanted to make. I found that this would be extremely easy to do PowerShell using the Set-ItemProperty cmdlet or its alias of “sp” to save a few nano seconds. I needed to run the command twice, once for s1159 and the second time for s2359, but with the use of the semicolon I could run them in a single line as follows (with the “Value” being the replacement text for AM and PM):
Set-ItemProperty -Path ‘HKCU:\Control Panel\International’ -Name s1159 -Value QUACK; Set-ItemProperty -Path ‘HKCU:\Control Panel\International’ -Name s2359 -Value QUACK
With the main task worked out I just needed to complete my Ducky script (adding a little house cleaning) and start having some fun. The resulting script was as follows:
REM The standard delay to make sure Windows loads the Ducky
REM Opens the run box
REM Runs the main payload
STRING Powershell Set-ItemProperty -Path ‘HKCU:\Control Panel\International’ -Name s1159 -Value QUACK; Set-ItemProperty -Path ‘HKCU:\Control Panel\International’ -Name s2359 -Value QUACK
REM Short delay to ensure the payload finishes
REM Removes all run history
STRING powershell Remove-ItemProperty -Path ‘HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU’ -Name ‘*’
While this payload was designed to be a fun prank to play on your co-workers, it can easily be used for more malicious purposes especially since many things get their time stamps from Windows. For example, you could replace AM/PM with “HACKED” and then a user would think that their mailbox was compromised, laying the groundwork for a more elaborate phishing/social engineering attack.
Of course, it can also be used for some very valid administrative task too. This prank serves as another reminder that you should never plug in an unknown USB sticks into a computer.