Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0066: User Execution – Malicious Link (click → suspicious egress → download/write → follow-on activity)

DET0066 is a detection strategy for a common user-driven execution path: a user clicks a malicious link, the endpoint makes suspicious outbound connections...

EnterpriseDET0066Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0066 is a detection strategy for a common user-driven execution path: a user clicks a malicious link, the endpoint makes suspicious outbound connections, content is downloaded or written, and follow-on activity occurs. Its business value is in validating whether the organization can connect user action, network egress, file activity, and later process behavior into one investigation story rather than treating each signal as isolated noise.

Executive priority

Prioritize this as a resilience and incident-readiness question: can the SOC quickly prove whether a link click became execution on Linux, macOS, or Windows systems associated with ATT&CK technique T1204.001? Leaders should ask whether email/web security, endpoint telemetry, network monitoring, and IR workflows provide enough evidence to triage social-engineering-driven execution without relying on a single control or alert.

Technical view

The supplied ATT&CK object has no official description or detection text, so validation should be relationship-driven against T1204.001 Malicious Link under the execution tactic. Detection engineering should test correlation across the sequence implied by the strategy name: click or browser launch, suspicious egress, download or file write, and follow-on execution or activity. SOC and IR teams should confirm whether these events can be tied by user, host, process lineage, timestamp, destination, and downloaded artifact across Linux, macOS, and Windows where those platforms are in scope for the related technique.

Likely telemetry

  • Web proxy, secure web gateway, DNS, or network egress logs showing link destinations and suspicious outbound activity
  • Endpoint process creation and parent-child process telemetry from browsers, document readers, shells, or downloaded content handlers
  • File creation, download, and write events on endpoints
  • Email or messaging security logs when the malicious link originates from spearphishing-like delivery context
  • Authentication and user/session context to associate the click and follow-on behavior with an accountable identity

Detection direction

  • Validate multi-event correlation rather than relying only on URL reputation or a single endpoint alert.
  • Tune for the full chain implied by DET0066: user click, suspicious egress, download/write, then follow-on activity.
  • Check blind spots where browser telemetry, proxy logs, DNS logs, or endpoint file/process events are missing or not joined by user and host context.
  • Account for false positives from legitimate software downloads, browser updates, collaboration tools, and user-initiated file transfers by requiring follow-on suspicious execution or unusual destination context.
  • Use the relationship to T1204.001 to keep the analytic scoped to user-enabled execution from malicious links, not all web browsing or all downloads.

Mitigation priorities

  • Strengthen user-facing preventive controls for malicious links, including web and email filtering where applicable.
  • Ensure endpoint monitoring captures process creation, file writes, and download-related activity on the platforms in scope for the related technique: Linux, macOS, and Windows.
  • Improve identity and asset context so suspicious link activity can be mapped to users, hosts, and business criticality during triage.
  • Prepare IR playbooks for link-click investigations that preserve URL, network, file, and process evidence before containment decisions.
  • Use compliance and audit evidence to show that security monitoring can reconstruct user-driven execution paths, not merely block known bad URLs.
Analyst notes and limits

This take is based on the detection strategy name, external reference DET0066, and its relationship to ATT&CK technique T1204.001 Malicious Link. Because the official detection and description fields are not provided, the recommended direction focuses on defensible validation of the named behavioral chain and the related technique context.

The object does not specify platforms, tactics, official detection logic, data sources, analytic thresholds, or mitigations. Platform and tactic references come only from the related T1204.001 technique. Local environment evidence is required to determine actual coverage, tuning, priority, and control gaps.

Official MITRE ATT&CK definition

User Execution – Malicious Link (click → suspicious egress → download/write → follow-on activity)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1204.001 Malicious Link Sub-technique This object detects Malicious Link.
Relationship explorer

All related ATT&CK context

detects · Technique T1204.001: Malicious Link Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
03c83f15661c0dd3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 03c83f15661c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0066
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use