# T1204.001 Malicious Link

-----------------------------------------------------------------------

## Technique Description

An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).

## Technique Detection

Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.

Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.

-----------------------------------------------------------------------

### Tactics:

  *   Execution

### Platforms:

  * Linux

  * macOS

  * Windows

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Network Traffic:** Network Connection Creation

  * **File:** File Creation

  * **Network Traffic:** Network Traffic Content

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has lured victims into clicking on a malicious link sent through spearphishing.(Citation: TrendMicro Confucius APT Aug 2021)| 
| LazyScripter | [LazyScripter](https://attack.mitre.org/groups/G0140) has relied upon users clicking on links to malicious files.(Citation: MalwareBytes LazyScripter Feb 2021)| 
| Transparent Tribe | [Transparent Tribe](https://attack.mitre.org/groups/G0134) has directed users to open URLs hosting malicious content.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)| 
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has sent malicious links including links directing victims to a Google Drive folder.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: McAfee Dianxun March 2021)(Citation: Proofpoint TA416 Europe March 2022)| 
| ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used malicious links in e-mails to lure victims into downloading malware.(Citation: Google Election Threats October 2020)(Citation: Zscaler APT31 Covid-19 October 2020)| 
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has lured targets to click on malicious links to gain execution in the target environment.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)(Citation: Cyble Sidewinder September 2020)| 
| Evilnum | [Evilnum](https://attack.mitre.org/groups/G0120) has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.(Citation: ESET EvilNum July 2020)| 
| Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used links embedded in e-mails to lure victims into executing malicious code.(Citation: SANS Windshift August 2018)| 
| Mofang | [Mofang](https://attack.mitre.org/groups/G0103)'s spearphishing emails required a user to click the link to connect to a compromised website.(Citation: FOX-IT May 2016 Mofang)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has lured victims into clicking a malicious link delivered through spearphishing.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)| 
| BlackTech | [BlackTech](https://attack.mitre.org/groups/G0098) has used e-mails with malicious links to lure victims into installing malware.(Citation: TrendMicro BlackTech June 2017)	 | 
| Machete | [Machete](https://attack.mitre.org/groups/G0095) has has relied on users opening malicious links delivered through spearphishing to execute malware.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has lured victims into clicking malicious links.(Citation: KISA Operation Muzabi)| 
| TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used lures to get users to click links in emails and attachments. For example, [TA505](https://attack.mitre.org/groups/G0092) makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. (Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has sent spearphishing emails in an attempt to lure users to click on a malicious link.(Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020)| 
| FIN4 | [FIN4](https://attack.mitre.org/groups/G0085) has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts).(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)| 
| Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.(Citation: Talos Cobalt Group July 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: Secureworks GOLD KINGSWOOD September 2018)| 
| Elderwood | [Elderwood](https://attack.mitre.org/groups/G0066) has leveraged multiple types of spearphishing in order to attempt to get a user to open links.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)| 
| Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has sent spearphishing email links attempting to get a user to click.(Citation: Proofpoint Leviathan Oct 2017)(Citation: CISA AA21-200A APT40 July 2021)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has distributed URLs in phishing e-mails that link to lure documents.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)| 
| APT33 | [APT33](https://attack.mitre.org/groups/G0064) has lured users to click links to malicious HTML applications delivered via spearphishing emails.(Citation: FireEye APT33 Sept 2017)(Citation: Symantec Elfin Mar 2019)| 
| FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used emails with malicious links to lure victims into installing malware.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has attempted to lure victims into opening malicious links embedded in emails.(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.(Citation: Cybereason Cobalt Kitty 2017)(Citation: Volexity Ocean Lotus November 2020)(Citation: Amnesty Intl. Ocean Lotus February 2021)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has delivered malicious links to achieve execution on the target system.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)| 
| FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used malicious links to lure victims into downloading malware.(Citation: CrowdStrike Carbon Spider August 2021)| 
| Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) has used spearphishing with links to try to get users to click, download and open malicious files.(Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)(Citation: Unit 42 BackConfig May 2020)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.(Citation: US District Court Indictment GRU Unit 74455 October 2020)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has sent spearphishing emails in an attempt to lure users to click on a malicious link.(Citation: ESET Lazarus Jun 2020)(Citation: ClearSky Lazarus Aug 2020)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) has lured victims into clicking malicious links delivered through spearphishing.(Citation: FireEye Clandestine Wolf)| 
| Molerats | [Molerats](https://attack.mitre.org/groups/G0021) has sent malicious links via email trick users into opening a RAR archive and running an executable.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020) | 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used various forms of spearphishing attempting to get a user to click on a malicous link.(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)(Citation: MSTIC NOBELIUM May 2021)(Citation: Secureworks IRON RITUAL USAID Phish May 2021)| 
| Night Dragon | [Night Dragon](https://attack.mitre.org/groups/G0014) enticed users to click on links in spearphishing emails to download malware.(Citation: McAfee Night Dragon)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) has used spearphishing via a link to get users to download and run their malware.(Citation: ESET Turla Mosquito Jan 2018)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1204/001)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 22 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, Matthew A Taylor, Servando Quinones, Emily Porras

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Turla will use spearphishing or other social engineering methods to get users to click on malicious links that downloads and runs their malware.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Sensor Location

## Analytical References

  * https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- APT observed using legitimate Akamai IP addresses and Adobe URLs to install malicious FlashPlayer installer
- Observed malicious downloads were done through HTTP rather than HTTPS

#### Analytic 1

  * **Information:** Identify GET requests for possible malicious files. Modify type as needed.

  * **Source:** PCAP

  * **Tool:** Kibana

  * **Notes:** Examples of types observed in the past include: [*.zip, *.rar, *.exe, *.lnk, *.docx, *.pdf, *.scr] Correlate traffic shortly after executable download for possible second stage backdoor. NOTE: Switch to Lucene in Kibana to assist in your query.

  * **Query:** ```http.method: GET AND  http.uri: *.zip OR *.rar OR *.exe OR *.lnk OR *.docx OR *.pdf OR *.scr```

#### Analytic 2

  * **Information:** Identify mismatched file types from GET requests.

  * **Source:** PCAP

  * **Tool:** Kibana

  * **Notes:** Example: URI contains .jpg or .png, but bodymagic identifies an executable file <modify as needed>

  * **Query:** ```http.bodyMagic == application*```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- APT observed using legitimate Akamai IP addresses and Adobe URLs to install malicious FlashPlayer installer
- Observed malicious downloads were done through HTTP rather than HTTPS

#### Analytic 1

  * **Information:** Identify GET requests for possible malicious files. Modify type as needed.

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** Examples of types observed in the past include: [*.zip, *.rar, *.exe, *.lnk, *.docx, *.pdf, *.scr] Correlate traffic shortly after executable download for possible second stage backdoor. NOTE: Switch to Lucene in Kibana to assist in your query.

  * **Query:** ```http.method == "GET" && http.uri == [*.zip, *.rar, *.exe, *.lnk, *.docx, *.pdf] && http.status == 200```

#### Analytic 2

  * **Information:** Identify GET requests for possible malicious files. Modify type as needed.

  * **Source:** PCAP

  * **Tool:** Kibana

  * **Notes:** Examples of types observed in the past include: [*.zip, *.rar, *.exe, *.lnk, *.docx, *.pdf, *.scr] Correlate traffic shortly after executable download for possible second stage backdoor. NOTE: Switch to Lucene in Kibana to assist in your query.

  * **Query:** ```http.method: GET AND  http.uri: *.zip OR *.rar OR *.exe OR *.lnk OR *.docx OR *.pdf OR *.scr```

#### Analytic 3

  * **Information:** Identify mismatched file types from GET requests.

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** Example: URI contains .jpg or .png, but bodymagic identifies an executable file <modify as needed>

  * **Query:** ```http.bodymagic==application* && http.uri!=*.exe*```

