T1204.001

Malicious Link

Adversaries may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from spearphishing links delivered via email, messaging platforms, or social media. Clicking on a link may lead to exploitation of a browser or application vulnerability, or direct download of a file requiring execution. Threat actors including FIN7, Kimsuky, QakBot, Bazar, and Mustang Panda have all leveraged malicious links as initial access vectors, often hosting payloads on legitimate cloud services such as Google Docs, OneDrive, or Dropbox to evade reputation-based filtering.

Microsoft Sentinel / Defender

kusto

let BrowserProcesses = dynamic(["chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe", "vivaldi.exe", "browser.exe"]);
let SuspiciousChildren = dynamic(["powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe", "wmic.exe", "msbuild.exe", "csc.exe", "installutil.exe", "regasm.exe", "regsvcs.exe", "odbcconf.exe", "forfiles.exe", "pcalua.exe"]);
let SuspiciousExtensions = dynamic([".exe", ".dll", ".js", ".vbs", ".hta", ".wsf", ".ps1", ".bat", ".cmd", ".scr", ".pif", ".cpl", ".iso", ".img"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (BrowserProcesses)
| where FileName in~ (SuspiciousChildren)
| extend SuspiciousParentPath = InitiatingProcessFolderPath
| extend ChildCommandLine = ProcessCommandLine
| extend IsEncodedPS = FileName =~ "powershell.exe" and (ProcessCommandLine has "-enc" or ProcessCommandLine has "-EncodedCommand")
| extend IsDownloadCradle = ProcessCommandLine has_any ("Invoke-WebRequest", "Net.WebClient", "DownloadFile", "DownloadString", "IEX", "Invoke-Expression")
| extend IsScriptEngine = FileName in~ ("wscript.exe", "cscript.exe", "mshta.exe")
| extend IsLOLBin = FileName in~ ("rundll32.exe", "regsvr32.exe", "certutil.exe", "mshta.exe", "msbuild.exe", "installutil.exe", "regasm.exe", "regsvcs.exe")
| project Timestamp, DeviceName, AccountName, AccountDomain,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath,
         FileName, ProcessCommandLine, FolderPath,
         IsEncodedPS, IsDownloadCradle, IsScriptEngine, IsLOLBin
| sort by Timestamp desc
| union (
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where InitiatingProcessFileName in~ (BrowserProcesses)
    | where FolderPath has_any ("\\Downloads\\", "\\AppData\\Local\\Temp\\", "\\Users\\Public\\", "\\Temp\\")
    | where FileName has_any (SuspiciousExtensions)
    | project Timestamp, DeviceName, AccountName, AccountDomain,
             InitiatingProcessFileName, InitiatingProcessCommandLine=InitiatingProcessCommandLine,
             FileName, FolderPath,
             IsEncodedPS=false, IsDownloadCradle=false, IsScriptEngine=false, IsLOLBin=false
    | sort by Timestamp desc
)

high severity high confidence

Data Sources

Process: Process Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Enterprise software deployment portals that use browser-initiated installers (ClickOnce, MSIX) may trigger msiexec.exe as a browser child process
Legitimate browser extensions or helper applications (e.g., meeting clients, VPN agents) that launch via protocol handlers (e.g., zoom://, msteams://)
Developer workstations where browser-based IDEs or tools legitimately spawn Node.js, Python, or PowerShell processes
IT-managed browser kiosks running automation scripts that interact with browsers and spawn controlled child processes
PDF viewers or office document handlers launched from browser downloads that briefly show browser as parent process

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ParentImageLower=lower(ParentImage)
| eval ImageLower=lower(Image)
| where match(ParentImageLower, "(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|vivaldi\.exe)")
| where match(ImageLower, "(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe|wmic\.exe|msbuild\.exe|csc\.exe|installutil\.exe|regasm\.exe|regsvcs\.exe|odbcconf\.exe)")
| eval CommandLineLower=lower(CommandLine)
| eval IsEncodedPS=if(match(CommandLineLower, "(-encodedcommand|-enc\s|-e\s|-ec\s)"), 1, 0)
| eval IsDownloadCradle=if(match(CommandLineLower, "(invoke-webrequest|net\.webclient|downloadfile|downloadstring|iex\(|invoke-expression|start-bitstransfer)"), 1, 0)
| eval IsScriptEngine=if(match(ImageLower, "(wscript\.exe|cscript\.exe|mshta\.exe)"), 1, 0)
| eval IsLOLBin=if(match(ImageLower, "(rundll32\.exe|regsvr32\.exe|certutil\.exe|mshta\.exe|msbuild\.exe|installutil\.exe|regasm\.exe|regsvcs\.exe)"), 1, 0)
| eval IsCmdWithArgs=if(match(ImageLower, "cmd\.exe") AND match(CommandLineLower, "(/c|/k)"), 1, 0)
| eval SuspicionScore=IsEncodedPS + IsDownloadCradle + IsScriptEngine + IsLOLBin + IsCmdWithArgs
| eval SuspicionScore=if(SuspicionScore=0, 1, SuspicionScore)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsEncodedPS, IsDownloadCradle, IsScriptEngine, IsLOLBin, IsCmdWithArgs, SuspicionScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Enterprise software deployment portals using browser-initiated installers (ClickOnce, MSIX) causing msiexec.exe to appear as a browser child
Legitimate protocol handler launches (zoom://, msteams://, slack://) where browser spawns the native application
Developer environments where browser-based tools legitimately invoke system processes for build or test operations
Browser helper objects or extensions that spawn companion applications with browser as the initiating process

Elastic Security (EQL)

eql

sequence by host.id with maxspan=30s
  [process where event.type == "start" and
   process.parent.name in~ ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe", "vivaldi.exe", "browser.exe") and
   process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe", "wmic.exe", "msbuild.exe", "csc.exe", "installutil.exe", "regasm.exe", "regsvcs.exe", "odbcconf.exe", "forfiles.exe", "pcalua.exe")] as e1
  [any where event.type in ("start", "creation") and
   (
     (event.category == "process" and
      (
        (process.args : ("-enc", "-EncodedCommand")) or
        (process.args : ("Invoke-WebRequest", "Net.WebClient", "DownloadFile", "DownloadString", "IEX", "Invoke-Expression")) or
        (process.name in~ ("wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "msbuild.exe", "installutil.exe", "regasm.exe", "regsvcs.exe"))
      )
     ) or
     (event.category == "file" and
      file.path : ("*\\Downloads\\*.exe", "*\\Downloads\\*.dll", "*\\Downloads\\*.js", "*\\Downloads\\*.vbs", "*\\Downloads\\*.hta", "*\\Downloads\\*.ps1", "*\\Downloads\\*.iso", "*\\AppData\\Local\\Temp\\*.exe", "*\\AppData\\Local\\Temp\\*.dll", "*\\Users\\Public\\*.exe"))
   )
  ]

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent with Windows integration Sysmon via Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-*

False Positives

Legitimate browser extensions or update mechanisms that spawn helper processes such as Chrome's update service (GoogleUpdate.exe) or Firefox's crash reporter may appear as browser-spawned child processes.
Developer workflows where a browser launches a local development server script or test runner via a link (e.g., clicking a localhost debug link that triggers a PowerShell or Node.js process).
Enterprise software deployments using ClickOnce or MSIX packaging that involve msiexec.exe or rundll32.exe being launched through a browser download or link click.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  QIDNAME(qid) AS event_name,
  "ParentImage",
  "Image",
  "CommandLine",
  "ParentCommandLine",
  CASE
    WHEN LOWER("CommandLine") LIKE '%-encodedcommand%' OR LOWER("CommandLine") LIKE '%-enc %' THEN 1
    ELSE 0
  END AS is_encoded_ps,
  CASE
    WHEN LOWER("CommandLine") LIKE '%invoke-webrequest%'
      OR LOWER("CommandLine") LIKE '%net.webclient%'
      OR LOWER("CommandLine") LIKE '%downloadfile%'
      OR LOWER("CommandLine") LIKE '%downloadstring%'
      OR LOWER("CommandLine") LIKE '%iex(%'
      OR LOWER("CommandLine") LIKE '%invoke-expression%' THEN 1
    ELSE 0
  END AS is_download_cradle,
  CASE
    WHEN LOWER("Image") LIKE '%wscript.exe%'
      OR LOWER("Image") LIKE '%cscript.exe%'
      OR LOWER("Image") LIKE '%mshta.exe%' THEN 1
    ELSE 0
  END AS is_script_engine,
  CASE
    WHEN LOWER("Image") LIKE '%rundll32.exe%'
      OR LOWER("Image") LIKE '%regsvr32.exe%'
      OR LOWER("Image") LIKE '%certutil.exe%'
      OR LOWER("Image") LIKE '%msbuild.exe%'
      OR LOWER("Image") LIKE '%installutil.exe%'
      OR LOWER("Image") LIKE '%regasm.exe%'
      OR LOWER("Image") LIKE '%regsvcs.exe%' THEN 1
    ELSE 0
  END AS is_lolbin
FROM events
WHERE
  LOGSOURCETYPEID = 12 -- Microsoft Windows Security Event Log (adjust for Sysmon source)
  AND devicetime > (NOW() - 86400000)
  AND (
    LOWER("ParentImage") LIKE '%chrome.exe'
    OR LOWER("ParentImage") LIKE '%msedge.exe'
    OR LOWER("ParentImage") LIKE '%firefox.exe'
    OR LOWER("ParentImage") LIKE '%iexplore.exe'
    OR LOWER("ParentImage") LIKE '%opera.exe'
    OR LOWER("ParentImage") LIKE '%brave.exe'
    OR LOWER("ParentImage") LIKE '%vivaldi.exe'
  )
  AND (
    LOWER("Image") LIKE '%powershell.exe'
    OR LOWER("Image") LIKE '%pwsh.exe'
    OR LOWER("Image") LIKE '%cmd.exe'
    OR LOWER("Image") LIKE '%wscript.exe'
    OR LOWER("Image") LIKE '%cscript.exe'
    OR LOWER("Image") LIKE '%mshta.exe'
    OR LOWER("Image") LIKE '%rundll32.exe'
    OR LOWER("Image") LIKE '%regsvr32.exe'
    OR LOWER("Image") LIKE '%certutil.exe'
    OR LOWER("Image") LIKE '%bitsadmin.exe'
    OR LOWER("Image") LIKE '%msiexec.exe'
    OR LOWER("Image") LIKE '%wmic.exe'
    OR LOWER("Image") LIKE '%msbuild.exe'
    OR LOWER("Image") LIKE '%installutil.exe'
    OR LOWER("Image") LIKE '%regasm.exe'
    OR LOWER("Image") LIKE '%regsvcs.exe'
    OR LOWER("Image") LIKE '%odbcconf.exe'
  )
ORDER BY devicetime DESC
LIMIT 500

high severity high confidence

Data Sources

QRadar SIEM with Windows Sysmon log source Microsoft Windows Security Event Log DSM IBM QRadar Log Source Extension for Sysmon

Required Tables

events

False Positives

Automated software update workflows initiated from browser notifications (e.g., Java updater, Adobe updater) may appear as browser-spawned msiexec.exe or rundll32.exe processes.
Help desk or remote support tools that open browser-based links and then invoke local scripts or executables as part of guided troubleshooting workflows.
Corporate intranet portals that use ActiveX controls or legacy browser-invoked executables through Internet Explorer compatibility mode in Edge.

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=*sysmon*
| json auto
| where EventID = "1"
| eval parent_image_lower = toLowerCase(ParentImage)
| eval image_lower = toLowerCase(Image)
| eval cmdline_lower = toLowerCase(CommandLine)
| where (
    parent_image_lower matches "*chrome.exe"
    OR parent_image_lower matches "*msedge.exe"
    OR parent_image_lower matches "*firefox.exe"
    OR parent_image_lower matches "*iexplore.exe"
    OR parent_image_lower matches "*opera.exe"
    OR parent_image_lower matches "*brave.exe"
    OR parent_image_lower matches "*vivaldi.exe"
  )
| where (
    image_lower matches "*powershell.exe"
    OR image_lower matches "*pwsh.exe"
    OR image_lower matches "*cmd.exe"
    OR image_lower matches "*wscript.exe"
    OR image_lower matches "*cscript.exe"
    OR image_lower matches "*mshta.exe"
    OR image_lower matches "*rundll32.exe"
    OR image_lower matches "*regsvr32.exe"
    OR image_lower matches "*certutil.exe"
    OR image_lower matches "*bitsadmin.exe"
    OR image_lower matches "*msiexec.exe"
    OR image_lower matches "*wmic.exe"
    OR image_lower matches "*msbuild.exe"
    OR image_lower matches "*csc.exe"
    OR image_lower matches "*installutil.exe"
    OR image_lower matches "*regasm.exe"
    OR image_lower matches "*regsvcs.exe"
    OR image_lower matches "*odbcconf.exe"
  )
| if (cmdline_lower matches "*-encodedcommand*" OR cmdline_lower matches "*-enc *" OR cmdline_lower matches "*-ec *", 1, 0) as is_encoded_ps
| if (cmdline_lower matches "*invoke-webrequest*" OR cmdline_lower matches "*net.webclient*" OR cmdline_lower matches "*downloadfile*" OR cmdline_lower matches "*downloadstring*" OR cmdline_lower matches "*iex(*" OR cmdline_lower matches "*invoke-expression*", 1, 0) as is_download_cradle
| if (image_lower matches "*wscript.exe" OR image_lower matches "*cscript.exe" OR image_lower matches "*mshta.exe", 1, 0) as is_script_engine
| if (image_lower matches "*rundll32.exe" OR image_lower matches "*regsvr32.exe" OR image_lower matches "*certutil.exe" OR image_lower matches "*msbuild.exe" OR image_lower matches "*installutil.exe" OR image_lower matches "*regasm.exe" OR image_lower matches "*regsvcs.exe", 1, 0) as is_lolbin
| eval suspicion_score = is_encoded_ps + is_download_cradle + is_script_engine + is_lolbin
| eval suspicion_score = if (suspicion_score == 0, 1, suspicion_score)
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, is_encoded_ps, is_download_cradle, is_script_engine, is_lolbin, suspicion_score
| sort by _messagetime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Windows Sysmon source Sumo Logic Cloud SIEM Enterprise with Windows data source Sysmon operational event log forwarded via Sumo Logic collector

Required Tables

Windows Sysmon Event ID 1 logs via _sourceCategory

False Positives

Browser-integrated enterprise applications that use cmd.exe or msiexec.exe to install or update plugins when a user clicks a download or update link from an internal portal.
Security tools such as endpoint agents that perform browser-initiated updates or health checks using PowerShell or certutil for certificate validation.
Development environments where clicking a localhost link in a browser opens a terminal or script runner (e.g., VS Code Live Server, Webpack dev server invoking a shell command).

Google Chronicle / SecOps

yaral

rule t1204_001_malicious_link_browser_spawn {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1204.001 - Malicious Link: Browser spawning suspicious child processes indicative of drive-by or spearphishing link execution."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1204.001"
    reference = "https://attack.mitre.org/techniques/T1204/001/"
    created = "2026-04-19"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.process.file.full_path = /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|vivaldi\.exe|browser\.exe)$/
    $proc.target.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe|wmic\.exe|msbuild\.exe|csc\.exe|installutil\.exe|regasm\.exe|regsvcs\.exe|odbcconf\.exe|forfiles\.exe|pcalua\.exe)$/

  match:
    $proc.principal.hostname over 5m

  outcome:
    $hostname = $proc.principal.hostname
    $user = $proc.principal.user.userid
    $browser = $proc.principal.process.file.full_path
    $child_process = $proc.target.process.file.full_path
    $child_cmdline = $proc.target.process.command_line
    $is_encoded_ps = re.regex($proc.target.process.command_line, `(?i)(-encodedcommand|-enc\s|-e\s|-ec\s)`)
    $is_download_cradle = re.regex($proc.target.process.command_line, `(?i)(invoke-webrequest|net\.webclient|downloadfile|downloadstring|iex\(|invoke-expression|start-bitstransfer)`)
    $is_lolbin = re.regex($proc.target.process.file.full_path, `(?i)(rundll32\.exe|regsvr32\.exe|certutil\.exe|mshta\.exe|msbuild\.exe|installutil\.exe|regasm\.exe|regsvcs\.exe)`)
    $risk_score = if($is_encoded_ps and $is_download_cradle, 90, if($is_encoded_ps or $is_download_cradle, 75, if($is_lolbin, 65, 50)))

  condition:
    $proc
}

high severity high confidence

Data Sources

Google Chronicle SIEM with Windows endpoint telemetry Chronicle Unified Data Model (UDM) process events Endpoint Detection and Response (EDR) data forwarded to Chronicle

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Enterprise software provisioning systems that use browsers as launchers to invoke msiexec.exe or PowerShell for application installation workflows triggered by web-based self-service portals.
Automated testing pipelines where CI/CD systems open a browser-based test report URL that then triggers a local script via a custom protocol handler.
Legitimate browser-to-application protocol handlers (e.g., teams://, zoom://, vscode://) that may cause the browser to spawn child processes as part of deep-link handling.

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^(chrome|msedge|firefox|iexplore|opera|brave|vivaldi|browser)\.exe$/
| FileName = /(?i)^(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec|wmic|msbuild|csc|installutil|regasm|regsvcs|odbcconf|forfiles|pcalua)\.exe$/
| CommandLine != null
| eval is_encoded_ps := if(CommandLine = /(?i)(-encodedcommand|-enc\s|-e\s|-ec\s)/, "true", "false")
| eval is_download_cradle := if(CommandLine = /(?i)(invoke-webrequest|net\.webclient|downloadfile|downloadstring|iex\(|invoke-expression|start-bitstransfer)/, "true", "false")
| eval is_script_engine := if(FileName = /(?i)^(wscript|cscript|mshta)\.exe$/, "true", "false")
| eval is_lolbin := if(FileName = /(?i)^(rundll32|regsvr32|certutil|mshta|msbuild|installutil|regasm|regsvcs)\.exe$/, "true", "false")
| eval suspicion_level := case(
    is_encoded_ps = "true" AND is_download_cradle = "true", "critical",
    is_encoded_ps = "true" OR is_download_cradle = "true", "high",
    is_lolbin = "true", "high",
    is_script_engine = "true", "medium",
    true(), "medium"
  )
| fields timestamp, ComputerName, UserName, ParentBaseFileName, ParentCommandLine, FileName, CommandLine, is_encoded_ps, is_download_cradle, is_script_engine, is_lolbin, suspicion_level
| sort(field=timestamp, order=desc)
| limit 200

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon ProcessRollup2 telemetry stream CrowdStrike Humio/LogScale with Falcon event ingestion

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Browser-based enterprise onboarding portals that invoke PowerShell scripts through ClickOnce or similar deployment mechanisms to install required software on new employee machines.
Legitimate use of certutil.exe for certificate downloads or CRL checks triggered indirectly by browser SSL validation processes on certain Windows configurations.
Security awareness training platforms that simulate phishing by having users click links, which may invoke local script executables as part of the simulation payload delivery (controlled red team exercises).

Last updated: 2026-04-19 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1204.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1204User Execution

Related Sub-techniques

T1204.002Malicious File T1204.003Malicious Image T1204.004Malicious Copy and Paste T1204.005Malicious Library

Malicious Link

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections