An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1204.001 | Malicious Link | |
| CA-7 | Continuous Monitoring | Protects | T1204.001 | Malicious Link | |
| CM-2 | Baseline Configuration | Protects | T1204.001 | Malicious Link | |
| CM-6 | Configuration Settings | Protects | T1204.001 | Malicious Link | |
| CM-7 | Least Functionality | Protects | T1204.001 | Malicious Link | |
| SC-44 | Detonation Chambers | Protects | T1204.001 | Malicious Link | |
| SC-7 | Boundary Protection | Protects | T1204.001 | Malicious Link | |
| SI-2 | Flaw Remediation | Protects | T1204.001 | Malicious Link | |
| SI-3 | Malicious Code Protection | Protects | T1204.001 | Malicious Link | |
| SI-4 | System Monitoring | Protects | T1204.001 | Malicious Link | |
| SI-8 | Spam Protection | Protects | T1204.001 | Malicious Link |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Unknown | Unknown | related-to | T1204.001 | User Execution: Malicious Link | |
| action.malware.vector.Email link | Email via embedded link. Child of 'Email' | related-to | T1204.001 | User Execution: Malicious Link | |
| action.social.variety.Phishing | Phishing (or any type of *ishing) | related-to | T1204.001 | User Execution: Malicious Link |