An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1204.001 | Malicious Link |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1204.001 | Malicious Link |
Comments
This diagnostic statement protects user execution through the implementation of tools and measures to block unknown or unused files in transit.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1204.001 | Malicious Link |
Comments
In order to protect users from being victims of social engineering attacks, network intrusion prevention techniques can be used to scan and block malicious downloads and malicious activity.
References
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1204.001 | Malicious Link |
Comments
Tools that detect and block and remove malware provide protection from users deceived into opening malicious documents, clicking on phishing links, or executing downloaded malware.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1204.001 | Malicious Link |
Comments
This diagnostic statement protects against Malicious Link through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1204.001 | Malicious Link | |
| CM-06 | Configuration Settings | mitigates | T1204.001 | Malicious Link | |
| SC-44 | Detonation Chambers | mitigates | T1204.001 | Malicious Link | |
| SI-08 | Spam Protection | mitigates | T1204.001 | Malicious Link | |
| SI-02 | Flaw Remediation | mitigates | T1204.001 | Malicious Link | |
| SI-03 | Malicious Code Protection | mitigates | T1204.001 | Malicious Link | |
| CM-02 | Baseline Configuration | mitigates | T1204.001 | Malicious Link | |
| CM-07 | Least Functionality | mitigates | T1204.001 | Malicious Link | |
| SI-04 | System Monitoring | mitigates | T1204.001 | Malicious Link | |
| AC-04 | Information Flow Enforcement | mitigates | T1204.001 | Malicious Link | |
| SC-07 | Boundary Protection | mitigates | T1204.001 | Malicious Link |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Other | Other | related-to | T1204.001 | Malicious Link |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1204.001 | Malicious Link |
Comments
This control monitors for references to suspicious domain names and file downloads from known malware sources, and monitors processes for downloads from raw-data websites like Pastebin, all of which are relevant for detecting users' interactions with malicious download links, but malicious links which exploit browser vulnerabilities for execution are unlikely to be detected, and temporal factor is unknown, resulting in a score of Minimal.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| web_risk | Web Risk | technique_scores | T1204.001 | Malicious Link |
Comments
Web Risk allows client applications to check URLs against Google's list of unsafe web resources. It also can provide warnings when attempting to access potentially unsafe sites. However, Google cannot guarantee that its information is comprehensive and error-free: some risky sites may not be identified, and some safe sites may be classified in error. This has resulted in an overall score of Partial.
References
|