Detect Malicious Link in Sumo Logic CSE
Adversaries may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from spearphishing links delivered via email, messaging platforms, or social media. Clicking on a link may lead to exploitation of a browser or application vulnerability, or direct download of a file requiring execution. Threat actors including FIN7, Kimsuky, QakBot, Bazar, and Mustang Panda have all leveraged malicious links as initial access vectors, often hosting payloads on legitimate cloud services such as Google Docs, OneDrive, or Dropbox to evade reputation-based filtering.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Sub-technique
- T1204.001 Malicious Link
- Canonical reference
- https://attack.mitre.org/techniques/T1204/001/
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=*sysmon*
| json auto
| where EventID = "1"
| eval parent_image_lower = toLowerCase(ParentImage)
| eval image_lower = toLowerCase(Image)
| eval cmdline_lower = toLowerCase(CommandLine)
| where (
parent_image_lower matches "*chrome.exe"
OR parent_image_lower matches "*msedge.exe"
OR parent_image_lower matches "*firefox.exe"
OR parent_image_lower matches "*iexplore.exe"
OR parent_image_lower matches "*opera.exe"
OR parent_image_lower matches "*brave.exe"
OR parent_image_lower matches "*vivaldi.exe"
)
| where (
image_lower matches "*powershell.exe"
OR image_lower matches "*pwsh.exe"
OR image_lower matches "*cmd.exe"
OR image_lower matches "*wscript.exe"
OR image_lower matches "*cscript.exe"
OR image_lower matches "*mshta.exe"
OR image_lower matches "*rundll32.exe"
OR image_lower matches "*regsvr32.exe"
OR image_lower matches "*certutil.exe"
OR image_lower matches "*bitsadmin.exe"
OR image_lower matches "*msiexec.exe"
OR image_lower matches "*wmic.exe"
OR image_lower matches "*msbuild.exe"
OR image_lower matches "*csc.exe"
OR image_lower matches "*installutil.exe"
OR image_lower matches "*regasm.exe"
OR image_lower matches "*regsvcs.exe"
OR image_lower matches "*odbcconf.exe"
)
| if (cmdline_lower matches "*-encodedcommand*" OR cmdline_lower matches "*-enc *" OR cmdline_lower matches "*-ec *", 1, 0) as is_encoded_ps
| if (cmdline_lower matches "*invoke-webrequest*" OR cmdline_lower matches "*net.webclient*" OR cmdline_lower matches "*downloadfile*" OR cmdline_lower matches "*downloadstring*" OR cmdline_lower matches "*iex(*" OR cmdline_lower matches "*invoke-expression*", 1, 0) as is_download_cradle
| if (image_lower matches "*wscript.exe" OR image_lower matches "*cscript.exe" OR image_lower matches "*mshta.exe", 1, 0) as is_script_engine
| if (image_lower matches "*rundll32.exe" OR image_lower matches "*regsvr32.exe" OR image_lower matches "*certutil.exe" OR image_lower matches "*msbuild.exe" OR image_lower matches "*installutil.exe" OR image_lower matches "*regasm.exe" OR image_lower matches "*regsvcs.exe", 1, 0) as is_lolbin
| eval suspicion_score = is_encoded_ps + is_download_cradle + is_script_engine + is_lolbin
| eval suspicion_score = if (suspicion_score == 0, 1, suspicion_score)
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, is_encoded_ps, is_download_cradle, is_script_engine, is_lolbin, suspicion_score
| sort by _messagetime descSumo Logic CSE query detecting T1204.001 by parsing Sysmon Event ID 1 (Process Create) events where a browser process spawns known-suspicious child processes. Calculates a suspicion score based on encoded PowerShell, download cradles, script engine usage, and LOLBin execution to prioritize analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Browser-integrated enterprise applications that use cmd.exe or msiexec.exe to install or update plugins when a user clicks a download or update link from an internal portal.
- Security tools such as endpoint agents that perform browser-initiated updates or health checks using PowerShell or certutil for certificate validation.
- Development environments where clicking a localhost link in a browser opens a terminal or script runner (e.g., VS Code Live Server, Webpack dev server invoking a shell command).
Other platforms for T1204.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Browser Spawning PowerShell via URI Handler (Simulated)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-ExecutionPolicy Bypass -WindowStyle Hidden'. Sysmon Event ID 11: File Create for %TEMP%\malicious-link-test.txt. Security Event ID 4688 (if command line auditing enabled) showing powershell.exe creation.
- Test 2Malicious Link File Drop Simulation — Executable in Downloads
Expected signal: Sysmon Event ID 11: File Create with TargetFilename ending in Downloads\Invoice_March2026.exe. DeviceFileEvents (MDE) will show file creation in the Downloads directory. The Zone.Identifier ADS will NOT be present since the file is copied rather than downloaded — in a real scenario the browser would attach ZoneId=3.
- Test 3wscript.exe Execution of Remote-Hosted VBScript (Simulated Link Click)
Expected signal: Sysmon Event ID 11: File Create for %TEMP%\link_payload.vbs. Sysmon Event ID 1: Process Create with Image=wscript.exe, CommandLine containing the .vbs path. Security Event ID 4688 for wscript.exe creation. If launched from a browser parent, the parent-child relationship is recorded in ParentImage.
- Test 4mshta.exe LOLBin Execution via Simulated Browser Spawn
Expected signal: Sysmon Event ID 11: File Create for %TEMP%\link_test.hta. Sysmon Event ID 1: Process Create with Image=mshta.exe and CommandLine referencing the .hta path. If the HTA makes network connections, Sysmon Event ID 3 will record them. Security Event ID 4688 for mshta.exe.
- Test 5ISO/IMG Mount and Execute — Malicious Link File Delivery
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Shell.Application COM object instantiation in command line. Sysmon Event ID 11: File Create for marker file. In a real ISO execution scenario, Sysmon Event ID 1 would show the process launched from a drive letter (e.g., E:\payload.exe) with no Zone.Identifier, distinguishing it from standard Downloads executions.
References (12)
- https://attack.mitre.org/techniques/T1204/001/
- https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/
- https://blog.cybereason.com/operation-gozi-the-shadow-war-against-the-public-sector
- https://www.zscaler.com/blogs/security-research/bazar-drops-the-anchor
- https://securityintelligence.com/posts/grandoreiro-how-engorged-can-an-exe-get/
- https://www.malwarebytes.com/blog/threat-intelligence/2021/02/lazyscripter-from-empire-to-double-rat
- https://www.trendmicro.com/en_us/research/21/h/confucius-apt-deploys-romcom-to-attack-ukraine.html
- https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.001/T1204.001.md
- https://www.sans.org/blog/ms-office-files-are-still-a-top-malware-delivery-mechanism/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
Unlock Pro Content
Get the full detection package for T1204.001 including response playbook, investigation guide, and atomic red team tests.