Skip to content

DET0066 User Execution – Malicious Link (click → suspicious egress → download/write → follow-on activity)

Item Value
ID DET0066
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1204.001 (Malicious Link)

Analytics

Windows

AN0178

Behavioral chain: (1) a user-facing app (browser/Office/email client) launches a URL or handles a link, then (2) the same process lineage makes an outbound connection to an untrusted domain/IP, (3) a file is downloaded or unpacked to a user-writable location shortly after the click. Optional enrichment: subsequent child execution by LOLBINs.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Network Traffic Content (DC0085) NSM:Flow Suspicious URL patterns, uncommon TLDs, short-lived domains, URL shorteners; HTTP method GET/POST
Mutable Elements
Field Description
TimeWindow Correlation window (e.g., 15m) between link click / first egress / file write.
BrowserParents Processes considered link sources: chrome.exe, msedge.exe, firefox.exe, winword.exe, outlook.exe, teams.exe.
UserPaths User-writable directories to monitor (%USERPROFILE%\Downloads, %TEMP%, %APPDATA%*, OneDrive caches).
SuspiciousTLDs High-risk TLD and domain list (e.g., .top .xyz .monster; newly observed domains/NOD).
AllowedCDNs Corporate CDNs/update hosts to reduce false positives.

Linux

AN0179

Behavioral chain: (1) browser/office/GUI mail client opens a URL, (2) outbound connection to untrusted domain, (3) a new file is saved in $HOME/Downloads, /tmp, or cache immediately after.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) auditd:SYSCALL execve: Execs of chromium, google-chrome, firefox, libreoffice with http(s) in cmdline
File Creation (DC0039) auditd:SYSCALL open,creat,rename: Writes in $HOME/Downloads, /tmp, ~/.cache with exe/script/archive/office extensions
Network Traffic Content (DC0085) NSM:Flow Suspicious URL patterns, uncommon TLDs, URL shorteners
Mutable Elements
Field Description
TimeWindow Typical 10–20m between click and write.
UserPaths $HOME/Downloads, /tmp, ~/.cache, ~/.local/share.
HighRiskExtensions exe, elf, sh, js, py, jar, iso, img, zip, rar, xlsm, docm, xll.
DomainRiskScore Heuristic or TI score threshold for domains.

macOS

AN0180

Behavioral chain: (1) Safari/Chrome/Firefox/Office handles a URL; unified logs show open/click or LSQuarantine assignment, (2) outbound connection to untrusted domain, (3) a new file appears in ~/Downloads or /private/var/folders/* with quarantine flag.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) macos:unifiedlog open URL
Network Connection Creation (DC0082) NSM:Connections New outbound connection from Safari/Chrome/Firefox/Word
File Creation (DC0039) fs:fsevents Create in /Users//Downloads or /private/var/folders/ with quarantine attribute
Mutable Elements
Field Description
TimeWindow 10–30m correlation.
QuarantinePolicy Alert when com.apple.quarantine missing on newly downloaded executables.
SuspiciousTLDs Org-specific risky domains/TLDs.