T1204.001 IBM QRadar · QRadar

Detect Malicious Link in IBM QRadar

Adversaries may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from spearphishing links delivered via email, messaging platforms, or social media. Clicking on a link may lead to exploitation of a browser or application vulnerability, or direct download of a file requiring execution. Threat actors including FIN7, Kimsuky, QakBot, Bazar, and Mustang Panda have all leveraged malicious links as initial access vectors, often hosting payloads on legitimate cloud services such as Google Docs, OneDrive, or Dropbox to evade reputation-based filtering.

MITRE ATT&CK

Tactic
Execution
Technique
T1204 User Execution
Sub-technique
T1204.001 Malicious Link
Canonical reference
https://attack.mitre.org/techniques/T1204/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  QIDNAME(qid) AS event_name,
  "ParentImage",
  "Image",
  "CommandLine",
  "ParentCommandLine",
  CASE
    WHEN LOWER("CommandLine") LIKE '%-encodedcommand%' OR LOWER("CommandLine") LIKE '%-enc %' THEN 1
    ELSE 0
  END AS is_encoded_ps,
  CASE
    WHEN LOWER("CommandLine") LIKE '%invoke-webrequest%'
      OR LOWER("CommandLine") LIKE '%net.webclient%'
      OR LOWER("CommandLine") LIKE '%downloadfile%'
      OR LOWER("CommandLine") LIKE '%downloadstring%'
      OR LOWER("CommandLine") LIKE '%iex(%'
      OR LOWER("CommandLine") LIKE '%invoke-expression%' THEN 1
    ELSE 0
  END AS is_download_cradle,
  CASE
    WHEN LOWER("Image") LIKE '%wscript.exe%'
      OR LOWER("Image") LIKE '%cscript.exe%'
      OR LOWER("Image") LIKE '%mshta.exe%' THEN 1
    ELSE 0
  END AS is_script_engine,
  CASE
    WHEN LOWER("Image") LIKE '%rundll32.exe%'
      OR LOWER("Image") LIKE '%regsvr32.exe%'
      OR LOWER("Image") LIKE '%certutil.exe%'
      OR LOWER("Image") LIKE '%msbuild.exe%'
      OR LOWER("Image") LIKE '%installutil.exe%'
      OR LOWER("Image") LIKE '%regasm.exe%'
      OR LOWER("Image") LIKE '%regsvcs.exe%' THEN 1
    ELSE 0
  END AS is_lolbin
FROM events
WHERE
  LOGSOURCETYPEID = 12 -- Microsoft Windows Security Event Log (adjust for Sysmon source)
  AND devicetime > (NOW() - 86400000)
  AND (
    LOWER("ParentImage") LIKE '%chrome.exe'
    OR LOWER("ParentImage") LIKE '%msedge.exe'
    OR LOWER("ParentImage") LIKE '%firefox.exe'
    OR LOWER("ParentImage") LIKE '%iexplore.exe'
    OR LOWER("ParentImage") LIKE '%opera.exe'
    OR LOWER("ParentImage") LIKE '%brave.exe'
    OR LOWER("ParentImage") LIKE '%vivaldi.exe'
  )
  AND (
    LOWER("Image") LIKE '%powershell.exe'
    OR LOWER("Image") LIKE '%pwsh.exe'
    OR LOWER("Image") LIKE '%cmd.exe'
    OR LOWER("Image") LIKE '%wscript.exe'
    OR LOWER("Image") LIKE '%cscript.exe'
    OR LOWER("Image") LIKE '%mshta.exe'
    OR LOWER("Image") LIKE '%rundll32.exe'
    OR LOWER("Image") LIKE '%regsvr32.exe'
    OR LOWER("Image") LIKE '%certutil.exe'
    OR LOWER("Image") LIKE '%bitsadmin.exe'
    OR LOWER("Image") LIKE '%msiexec.exe'
    OR LOWER("Image") LIKE '%wmic.exe'
    OR LOWER("Image") LIKE '%msbuild.exe'
    OR LOWER("Image") LIKE '%installutil.exe'
    OR LOWER("Image") LIKE '%regasm.exe'
    OR LOWER("Image") LIKE '%regsvcs.exe'
    OR LOWER("Image") LIKE '%odbcconf.exe'
  )
ORDER BY devicetime DESC
LIMIT 500
high severity high confidence

QRadar AQL query detecting T1204.001 by correlating Sysmon or Windows event logs where a browser process (Chrome, Edge, Firefox, IE, Opera, Brave, Vivaldi) spawns a suspicious child process such as PowerShell, cmd.exe, LOLBins, or script engines. Classifies events by encoded command usage, download cradles, script engine invocation, and LOLBin usage.

Data Sources

QRadar SIEM with Windows Sysmon log sourceMicrosoft Windows Security Event Log DSMIBM QRadar Log Source Extension for Sysmon

Required Tables

events

False Positives & Tuning

  • Automated software update workflows initiated from browser notifications (e.g., Java updater, Adobe updater) may appear as browser-spawned msiexec.exe or rundll32.exe processes.
  • Help desk or remote support tools that open browser-based links and then invoke local scripts or executables as part of guided troubleshooting workflows.
  • Corporate intranet portals that use ActiveX controls or legacy browser-invoked executables through Internet Explorer compatibility mode in Edge.
Download portable Sigma rule (.yml)

Other platforms for T1204.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Browser Spawning PowerShell via URI Handler (Simulated)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-ExecutionPolicy Bypass -WindowStyle Hidden'. Sysmon Event ID 11: File Create for %TEMP%\malicious-link-test.txt. Security Event ID 4688 (if command line auditing enabled) showing powershell.exe creation.

  2. Test 2Malicious Link File Drop Simulation — Executable in Downloads

    Expected signal: Sysmon Event ID 11: File Create with TargetFilename ending in Downloads\Invoice_March2026.exe. DeviceFileEvents (MDE) will show file creation in the Downloads directory. The Zone.Identifier ADS will NOT be present since the file is copied rather than downloaded — in a real scenario the browser would attach ZoneId=3.

  3. Test 3wscript.exe Execution of Remote-Hosted VBScript (Simulated Link Click)

    Expected signal: Sysmon Event ID 11: File Create for %TEMP%\link_payload.vbs. Sysmon Event ID 1: Process Create with Image=wscript.exe, CommandLine containing the .vbs path. Security Event ID 4688 for wscript.exe creation. If launched from a browser parent, the parent-child relationship is recorded in ParentImage.

  4. Test 4mshta.exe LOLBin Execution via Simulated Browser Spawn

    Expected signal: Sysmon Event ID 11: File Create for %TEMP%\link_test.hta. Sysmon Event ID 1: Process Create with Image=mshta.exe and CommandLine referencing the .hta path. If the HTA makes network connections, Sysmon Event ID 3 will record them. Security Event ID 4688 for mshta.exe.

  5. Test 5ISO/IMG Mount and Execute — Malicious Link File Delivery

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Shell.Application COM object instantiation in command line. Sysmon Event ID 11: File Create for marker file. In a real ISO execution scenario, Sysmon Event ID 1 would show the process launched from a drive letter (e.g., E:\payload.exe) with no Zone.Identifier, distinguishing it from standard Downloads executions.

Last updated: 2026-04-19 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1204.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1204User Execution

Related Sub-techniques

T1204.002Malicious FileT1204.003Malicious ImageT1204.004Malicious Copy and PasteT1204.005Malicious Library

Related Techniques

T1566.002Spearphishing LinkT1204.002Malicious FileT1203Exploitation for Client ExecutionT1105Ingress Tool TransferT1059.001PowerShellT1059.003Windows Command ShellT1059.005Visual BasicT1218.005MshtaT1218.010Regsvr32T1547.001Registry Run Keys / Startup FolderT1071.001Web Protocols

Same Tactic: Execution

Popular Detections