T1204.001 Malicious Link Mappings

An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-16 Security and Privacy Attributes Protects T1204.001 Malicious Link
AC-17 Remote Access Protects T1204.001 Malicious Link
AC-2 Account Management Protects T1204.001 Malicious Link
AC-21 Information Sharing Protects T1204.001 Malicious Link
AC-23 Data Mining Protection Protects T1204.001 Malicious Link
AC-3 Access Enforcement Protects T1204.001 Malicious Link
AC-4 Information Flow Enforcement Protects T1204.001 Malicious Link
AC-6 Least Privilege Protects T1204.001 Malicious Link
CA-7 Continuous Monitoring Protects T1204.001 Malicious Link
CM-2 Baseline Configuration Protects T1204.001 Malicious Link
CM-3 Configuration Change Control Protects T1204.001 Malicious Link
CM-5 Access Restrictions for Change Protects T1204.001 Malicious Link
CM-6 Configuration Settings Protects T1204.001 Malicious Link
CM-7 Least Functionality Protects T1204.001 Malicious Link
CM-8 System Component Inventory Protects T1204.001 Malicious Link
SC-28 Protection of Information at Rest Protects T1204.001 Malicious Link
SC-44 Detonation Chambers Protects T1204.001 Malicious Link
SC-7 Boundary Protection Protects T1204.001 Malicious Link
SI-2 Flaw Remediation Protects T1204.001 Malicious Link
SI-3 Malicious Code Protection Protects T1204.001 Malicious Link
SI-4 System Monitoring Protects T1204.001 Malicious Link
SI-7 Software, Firmware, and Information Integrity Protects T1204.001 Malicious Link
SI-8 Spam Protection Protects T1204.001 Malicious Link
azure_defender_for_app_service Azure Defender for App Service technique_scores T1204.001 Malicious Link
Comments
This control monitors for references to suspicious domain names and file downloads from known malware sources, and monitors processes for downloads from raw-data websites like Pastebin, all of which are relevant for detecting users' interactions with malicious download links, but malicious links which exploit browser vulnerabilities for execution are unlikely to be detected, and temporal factor is unknown, resulting in a score of Minimal.
References