Esc
Malicious Link - T1204.001
(ATT&CK® Technique)
Definition
An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1204001["Malicious Link"] --> |accesses| URL["URL"]; class T1204001 OffensiveTechniqueNode;
class URL ArtifactNode; click URL href "/dao/artifact/d3f:URL";
click T1204001 href "/offensive-technique/attack/T1204.001/"; click URL href "/dao/artifact/d3f:URL"; T1204001["Malicious Link"] --> |produces| OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; class T1204001 OffensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode; click OutboundInternetWebTraffic href "/dao/artifact/d3f:OutboundInternetWebTraffic";
click T1204001 href "/offensive-technique/attack/T1204.001/"; click OutboundInternetWebTraffic href "/dao/artifact/d3f:OutboundInternetWebTraffic"; HomoglyphDetection["Homoglyph Detection"] -->
| analyzes | URL["URL"];
HomoglyphDetection["Homoglyph Detection"] -.->
| may-detect | T1204001["Malicious Link"] ;
class HomoglyphDetection DefensiveTechniqueNode;
class URL ArtifactNode;
click HomoglyphDetection href "/technique/d3f:HomoglyphDetection"; IdentifierActivityAnalysis["Identifier Activity Analysis"] -->
| analyzes | URL["URL"];
IdentifierActivityAnalysis["Identifier Activity Analysis"] -.->
| may-detect | T1204001["Malicious Link"] ;
class IdentifierActivityAnalysis DefensiveTechniqueNode;
class URL ArtifactNode;
click IdentifierActivityAnalysis href "/technique/d3f:IdentifierActivityAnalysis"; URLAnalysis["URL Analysis"] -->
| analyzes | URL["URL"];
URLAnalysis["URL Analysis"] -.->
| may-detect | T1204001["Malicious Link"] ;
class URLAnalysis DefensiveTechniqueNode;
class URL ArtifactNode;
click URLAnalysis href "/technique/d3f:URLAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1204001["Malicious Link"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
RelayPatternAnalysis["Relay Pattern Analysis"] -.->
| may-detect | T1204001["Malicious Link"] ;
class RelayPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1204001["Malicious Link"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1204001["Malicious Link"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1204001["Malicious Link"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1204001["Malicious Link"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1204001["Malicious Link"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1204001["Malicious Link"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1204001["Malicious Link"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; URLReputationAnalysis["URL Reputation Analysis"] -->
| analyzes | URL["URL"];
URLReputationAnalysis["URL Reputation Analysis"] -.->
| may-detect | T1204001["Malicious Link"] ;
class URLReputationAnalysis DefensiveTechniqueNode;
class URL ArtifactNode;
click URLReputationAnalysis href "/technique/d3f:URLReputationAnalysis"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
| filters | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
| may-isolate | T1204001["Malicious Link"] ;
class OutboundTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";