T1204.001 — Malicious Link

Technique

T1204.001

Tactics

Execution

MISP citations

0

KEV CVEs mapped

11

Community rules

4

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1204/001

MITRE description

An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2024-38112
• CVE-2023-5631
• CVE-2023-5217
• CVE-2023-2136
• CVE-2022-3075
• CVE-2022-3038
• CVE-2022-24682
• CVE-2022-21971
• CVE-2020-3580
• CVE-2015-5119
• CVE-2012-0767

Detection coverage

SigmaHQ community rules

• Symlink Etc Passwd (core)
• Suspicious Execution via macOS Script Editor (core)
• Suspicious ClickFix/FileFix Execution Pattern (core)
• Potential ClickFix Execution Pattern - Registry (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.