Detect Malicious Link in Microsoft Sentinel
Adversaries may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from spearphishing links delivered via email, messaging platforms, or social media. Clicking on a link may lead to exploitation of a browser or application vulnerability, or direct download of a file requiring execution. Threat actors including FIN7, Kimsuky, QakBot, Bazar, and Mustang Panda have all leveraged malicious links as initial access vectors, often hosting payloads on legitimate cloud services such as Google Docs, OneDrive, or Dropbox to evade reputation-based filtering.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Sub-technique
- T1204.001 Malicious Link
- Canonical reference
- https://attack.mitre.org/techniques/T1204/001/
KQL Detection Query
let BrowserProcesses = dynamic(["chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe", "vivaldi.exe", "browser.exe"]);
let SuspiciousChildren = dynamic(["powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe", "wmic.exe", "msbuild.exe", "csc.exe", "installutil.exe", "regasm.exe", "regsvcs.exe", "odbcconf.exe", "forfiles.exe", "pcalua.exe"]);
let SuspiciousExtensions = dynamic([".exe", ".dll", ".js", ".vbs", ".hta", ".wsf", ".ps1", ".bat", ".cmd", ".scr", ".pif", ".cpl", ".iso", ".img"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (BrowserProcesses)
| where FileName in~ (SuspiciousChildren)
| extend SuspiciousParentPath = InitiatingProcessFolderPath
| extend ChildCommandLine = ProcessCommandLine
| extend IsEncodedPS = FileName =~ "powershell.exe" and (ProcessCommandLine has "-enc" or ProcessCommandLine has "-EncodedCommand")
| extend IsDownloadCradle = ProcessCommandLine has_any ("Invoke-WebRequest", "Net.WebClient", "DownloadFile", "DownloadString", "IEX", "Invoke-Expression")
| extend IsScriptEngine = FileName in~ ("wscript.exe", "cscript.exe", "mshta.exe")
| extend IsLOLBin = FileName in~ ("rundll32.exe", "regsvr32.exe", "certutil.exe", "mshta.exe", "msbuild.exe", "installutil.exe", "regasm.exe", "regsvcs.exe")
| project Timestamp, DeviceName, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath,
FileName, ProcessCommandLine, FolderPath,
IsEncodedPS, IsDownloadCradle, IsScriptEngine, IsLOLBin
| sort by Timestamp desc
| union (
DeviceFileEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (BrowserProcesses)
| where FolderPath has_any ("\\Downloads\\", "\\AppData\\Local\\Temp\\", "\\Users\\Public\\", "\\Temp\\")
| where FileName has_any (SuspiciousExtensions)
| project Timestamp, DeviceName, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine=InitiatingProcessCommandLine,
FileName, FolderPath,
IsEncodedPS=false, IsDownloadCradle=false, IsScriptEngine=false, IsLOLBin=false
| sort by Timestamp desc
)Detects malicious link execution by monitoring two primary patterns: (1) browser processes (Chrome, Edge, Firefox, IE) spawning suspicious child processes such as PowerShell, cmd.exe, script engines, or LOLBins — a strong indicator that a clicked link triggered code execution via browser exploitation or protocol handlers; and (2) browsers writing executable file types to Downloads or Temp directories. The union approach catches both in-memory execution chains and file-drop scenarios. Uses DeviceProcessEvents and DeviceFileEvents from Microsoft Defender for Endpoint.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise software deployment portals that use browser-initiated installers (ClickOnce, MSIX) may trigger msiexec.exe as a browser child process
- Legitimate browser extensions or helper applications (e.g., meeting clients, VPN agents) that launch via protocol handlers (e.g., zoom://, msteams://)
- Developer workstations where browser-based IDEs or tools legitimately spawn Node.js, Python, or PowerShell processes
- IT-managed browser kiosks running automation scripts that interact with browsers and spawn controlled child processes
- PDF viewers or office document handlers launched from browser downloads that briefly show browser as parent process
Other platforms for T1204.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Browser Spawning PowerShell via URI Handler (Simulated)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-ExecutionPolicy Bypass -WindowStyle Hidden'. Sysmon Event ID 11: File Create for %TEMP%\malicious-link-test.txt. Security Event ID 4688 (if command line auditing enabled) showing powershell.exe creation.
- Test 2Malicious Link File Drop Simulation — Executable in Downloads
Expected signal: Sysmon Event ID 11: File Create with TargetFilename ending in Downloads\Invoice_March2026.exe. DeviceFileEvents (MDE) will show file creation in the Downloads directory. The Zone.Identifier ADS will NOT be present since the file is copied rather than downloaded — in a real scenario the browser would attach ZoneId=3.
- Test 3wscript.exe Execution of Remote-Hosted VBScript (Simulated Link Click)
Expected signal: Sysmon Event ID 11: File Create for %TEMP%\link_payload.vbs. Sysmon Event ID 1: Process Create with Image=wscript.exe, CommandLine containing the .vbs path. Security Event ID 4688 for wscript.exe creation. If launched from a browser parent, the parent-child relationship is recorded in ParentImage.
- Test 4mshta.exe LOLBin Execution via Simulated Browser Spawn
Expected signal: Sysmon Event ID 11: File Create for %TEMP%\link_test.hta. Sysmon Event ID 1: Process Create with Image=mshta.exe and CommandLine referencing the .hta path. If the HTA makes network connections, Sysmon Event ID 3 will record them. Security Event ID 4688 for mshta.exe.
- Test 5ISO/IMG Mount and Execute — Malicious Link File Delivery
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Shell.Application COM object instantiation in command line. Sysmon Event ID 11: File Create for marker file. In a real ISO execution scenario, Sysmon Event ID 1 would show the process launched from a drive letter (e.g., E:\payload.exe) with no Zone.Identifier, distinguishing it from standard Downloads executions.
References (12)
- https://attack.mitre.org/techniques/T1204/001/
- https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/
- https://blog.cybereason.com/operation-gozi-the-shadow-war-against-the-public-sector
- https://www.zscaler.com/blogs/security-research/bazar-drops-the-anchor
- https://securityintelligence.com/posts/grandoreiro-how-engorged-can-an-exe-get/
- https://www.malwarebytes.com/blog/threat-intelligence/2021/02/lazyscripter-from-empire-to-double-rat
- https://www.trendmicro.com/en_us/research/21/h/confucius-apt-deploys-romcom-to-attack-ukraine.html
- https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.001/T1204.001.md
- https://www.sans.org/blog/ms-office-files-are-still-a-top-malware-delivery-mechanism/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
Unlock Pro Content
Get the full detection package for T1204.001 including response playbook, investigation guide, and atomic red team tests.