T1204.001: Malicious Link

Data from MITRE ATT&CK®:

An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

File Creation (File)

Initial construction of a new file (ex: Sysmon EID 11)

Network Connection Creation (Network Traffic)

Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)

Network Traffic Content (Network Traffic)

Logged network traffic data showing both protocol header and body values (ex: PCAP)

Suspicious Execution via macOS Script Editor

macos process creation

Symlink Etc Passwd

linux