Security Awareness Training (SAT) tells us to never click on a link from some email that we don’t know where it originates. Sound advice. But have you ever wondered what happens when someone does click on that link?
The vision is of imminent destruction, and the fear is that our systems will stop working for us and will instead start working for the attackers. Scary stuff.
When users understand what happens behind the scenes (and how clever it is), it might not be so embarrassing to quickly report an incident.
In this article, I’m going to get a little geeky. Mostly because I think it is brilliant how attackers work to circumvent protections and keep the user blissfully unaware of what’s actually happening.
Let’s look at how a link in an email works. Basically, there is a word or phase in blue or marked in a way that says “click here.” If you move your mouse over that phrase, you’ll see my website is the hyperlink you will go to if you “click here.”
What if that hyperlink was a set of instructions instead of a link to a website? Basically, this is the premise of the attack. While the link goes to my website, another link may go to a script: bad.site.com\agent.script (again, simple illustration here – not a real site).
That script could run basically anything the attacker wants it to.
Now, you might say, “But Shawn, I have antivirus and anti-malware on my system, and it is supposed to block bad things from happening.” And you are right.
However, what if the script’s first commands were to disable your protections?
Below is an example of an excerpt of a real-life script. (It was a segment of a larger malicious script I came across, but this piece is not the malicious part.) I’m not going to explain this PowerShell command (mostly so you will keep reading), but understand this command is designed to disable detection software – like Microsoft Defender. 😲
C:\Windows\System32\WindowsPowerShell\powershell.exe Set-MpPreference -DisableRealtimeMnitoring $true -DisableIntrusionPreventionSystem $true -DisableOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disable -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Attackers design these commands to cover as much ground as they can to ensure they can do as much as possible before being detected. The malware appears after the security applications are disabled, shutdown, or even busy doing other activities, such as looking for a crazy word (e.g., “goofawalabits”) in a mountain of old system logs.
The point of this article is to help users understand that when we click on a link or visit a non-reputable site or try to close that pop-up ad, we risk something happening that we cannot view or control. This is why your security team actively enforces things like principles of least privileges, which limits the access you have to your computer or separation of duties to prevent security rights to the end-user.
We all want safe computing. The more we know about what could happen and how the attackers do what they do, the more understanding we can be to that “jerk” in IT security.
As always, if I can answer any questions, don’t hesitate to reach out!