Detect Malicious Link in CrowdStrike LogScale
Adversaries may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from spearphishing links delivered via email, messaging platforms, or social media. Clicking on a link may lead to exploitation of a browser or application vulnerability, or direct download of a file requiring execution. Threat actors including FIN7, Kimsuky, QakBot, Bazar, and Mustang Panda have all leveraged malicious links as initial access vectors, often hosting payloads on legitimate cloud services such as Google Docs, OneDrive, or Dropbox to evade reputation-based filtering.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Sub-technique
- T1204.001 Malicious Link
- Canonical reference
- https://attack.mitre.org/techniques/T1204/001/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^(chrome|msedge|firefox|iexplore|opera|brave|vivaldi|browser)\.exe$/
| FileName = /(?i)^(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec|wmic|msbuild|csc|installutil|regasm|regsvcs|odbcconf|forfiles|pcalua)\.exe$/
| CommandLine != null
| eval is_encoded_ps := if(CommandLine = /(?i)(-encodedcommand|-enc\s|-e\s|-ec\s)/, "true", "false")
| eval is_download_cradle := if(CommandLine = /(?i)(invoke-webrequest|net\.webclient|downloadfile|downloadstring|iex\(|invoke-expression|start-bitstransfer)/, "true", "false")
| eval is_script_engine := if(FileName = /(?i)^(wscript|cscript|mshta)\.exe$/, "true", "false")
| eval is_lolbin := if(FileName = /(?i)^(rundll32|regsvr32|certutil|mshta|msbuild|installutil|regasm|regsvcs)\.exe$/, "true", "false")
| eval suspicion_level := case(
is_encoded_ps = "true" AND is_download_cradle = "true", "critical",
is_encoded_ps = "true" OR is_download_cradle = "true", "high",
is_lolbin = "true", "high",
is_script_engine = "true", "medium",
true(), "medium"
)
| fields timestamp, ComputerName, UserName, ParentBaseFileName, ParentCommandLine, FileName, CommandLine, is_encoded_ps, is_download_cradle, is_script_engine, is_lolbin, suspicion_level
| sort(field=timestamp, order=desc)
| limit 200CrowdStrike LogScale CQL query detecting T1204.001 by filtering ProcessRollup2 Falcon telemetry events where a browser process is the parent and the child process is a known suspicious executable, script engine, or LOLBin. Classifies each event by encoded PowerShell, download cradle, script engine, and LOLBin characteristics, then assigns a suspicion level for analyst triage prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Browser-based enterprise onboarding portals that invoke PowerShell scripts through ClickOnce or similar deployment mechanisms to install required software on new employee machines.
- Legitimate use of certutil.exe for certificate downloads or CRL checks triggered indirectly by browser SSL validation processes on certain Windows configurations.
- Security awareness training platforms that simulate phishing by having users click links, which may invoke local script executables as part of the simulation payload delivery (controlled red team exercises).
Other platforms for T1204.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Browser Spawning PowerShell via URI Handler (Simulated)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-ExecutionPolicy Bypass -WindowStyle Hidden'. Sysmon Event ID 11: File Create for %TEMP%\malicious-link-test.txt. Security Event ID 4688 (if command line auditing enabled) showing powershell.exe creation.
- Test 2Malicious Link File Drop Simulation — Executable in Downloads
Expected signal: Sysmon Event ID 11: File Create with TargetFilename ending in Downloads\Invoice_March2026.exe. DeviceFileEvents (MDE) will show file creation in the Downloads directory. The Zone.Identifier ADS will NOT be present since the file is copied rather than downloaded — in a real scenario the browser would attach ZoneId=3.
- Test 3wscript.exe Execution of Remote-Hosted VBScript (Simulated Link Click)
Expected signal: Sysmon Event ID 11: File Create for %TEMP%\link_payload.vbs. Sysmon Event ID 1: Process Create with Image=wscript.exe, CommandLine containing the .vbs path. Security Event ID 4688 for wscript.exe creation. If launched from a browser parent, the parent-child relationship is recorded in ParentImage.
- Test 4mshta.exe LOLBin Execution via Simulated Browser Spawn
Expected signal: Sysmon Event ID 11: File Create for %TEMP%\link_test.hta. Sysmon Event ID 1: Process Create with Image=mshta.exe and CommandLine referencing the .hta path. If the HTA makes network connections, Sysmon Event ID 3 will record them. Security Event ID 4688 for mshta.exe.
- Test 5ISO/IMG Mount and Execute — Malicious Link File Delivery
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Shell.Application COM object instantiation in command line. Sysmon Event ID 11: File Create for marker file. In a real ISO execution scenario, Sysmon Event ID 1 would show the process launched from a drive letter (e.g., E:\payload.exe) with no Zone.Identifier, distinguishing it from standard Downloads executions.
References (12)
- https://attack.mitre.org/techniques/T1204/001/
- https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/
- https://blog.cybereason.com/operation-gozi-the-shadow-war-against-the-public-sector
- https://www.zscaler.com/blogs/security-research/bazar-drops-the-anchor
- https://securityintelligence.com/posts/grandoreiro-how-engorged-can-an-exe-get/
- https://www.malwarebytes.com/blog/threat-intelligence/2021/02/lazyscripter-from-empire-to-double-rat
- https://www.trendmicro.com/en_us/research/21/h/confucius-apt-deploys-romcom-to-attack-ukraine.html
- https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.001/T1204.001.md
- https://www.sans.org/blog/ms-office-files-are-still-a-top-malware-delivery-mechanism/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
Unlock Pro Content
Get the full detection package for T1204.001 including response playbook, investigation guide, and atomic red team tests.