Capturing the Click: Process-Based Detection of Malicious Link Interactions
Web links remain one of the most reliably abused vectors in phishing attacks. However, defenders continue to depend on network-based monitoring and post-execution detection that activate only after an account has been compromised.
This research validates the browser command-line flags used by Chrome, Edge, and Firefox as parameters in process-creation events, capturing both the clicked URL and the parent application, document, or script that delivered it. A link interaction consisting of 84 test cases across a variety of enterprise applications, file formats, scripting file types, and terminal environments on Windows 11 demonstrates that process creation monitoring captures browser-invocation behavior with high fidelity across the majority of tested launcher categories, while providing delivery-vector context unavailable in network telemetry.
A detection framework built on the ELK stack enriches each captured URL against four external threat intelligence services and applies process-chain contextual scoring to produce a risk verdict. Validated against Evilginx adversary-in-the-middle simulations, live malicious domains, and a 200-domain benign baseline, the results confirm that process-layer telemetry can identify not only that a malicious link was invoked, but precisely how it was delivered.
SANS-Capturing-Click-Process-Based-Detection-Malicious-Link-Interactions-062226 (PDF, 1.39MB)
22 Jun 2026Related Content
Detection Strategies for AskCreds Beacon Object File Credential Harvesting Across Multiple C2 Frameworks
Research PaperThis study evaluates layered detection strategies against AskCreds BOF execution in an isolated Azure lab using Cobalt Strike 4.12 and Outflank C2 v2.11.1, with Velociraptor as the primary DFIR platform.
- 22 Jun 2026
- Eric Fletcher
Know Your Blind Spots: Better Visibility Through EDR Policy Hardening
Research PaperEndpoint Detection and Response (EDR) tools identify, detect, and respond to anomalous behavior.
- 9 Jun 2026
- Joshuah Williams
Applying CIS Controls to AI Workflows
Research PaperThis research provides guidance on using the CIS Controls in conjunction with AI-specific frameworks to build a robust information security program.
- 12 May 2026
- Brian Ventura
A Forensic Study of Artifact Persistence in Containerd-Based Kubernetes Workloads
Research PaperA container is a standard unit of software that packages code, including its dependencies, so the application runs quickly and reliably across computing environments.
- 12 May 2026
- Ahmed Alharbi
Implementing Micro-Segmentation in a Legacy Enterprise Lab Network: A Zero Trust Approach to Reducing Lateral Movement, Improving Containment, and Controlling Operational Overhead
Research PaperThis study evaluates micro-segmentation as a practical Zero Trust control in a Windows Active Directory lab that models common legacy dependencies (directory services, file services, a web tier, and a database tier).
- 24 Mar 2026
- Dennis Ankrah
Assessing the Impact of Memory Acquisition on Key Windows Artifacts
Research PaperThis research evaluates the impact of memory capture tools on data at rest, aiming to understand the degree of change that occurs to artifacts, measure differences based on tool selection, and inform best practices for live responders.
- 20 Mar 2026
- Russell Devine
From Ambiguity to Action: A Forensic Framework for Differentiating ClickFix Payloads
Research PaperThe "ClickFix" social engineering technique, which leverages fake CAPTCHA or browser update lures to trick users into executing a malicious PowerShell script, presents a critical challenge for incident responders.
- 24 Feb 2026
- James Chisolm-Williams
Measuring Malware Obfuscation: Evaluating CNN- Based Detection for Real-World Resilience
Research PaperThis study examined how layered obfuscation affects image-based convolutional neural network (CNN) detectors and introduces a novel, reproducible framework for measuring obfuscation itself.
- 19 Nov 2025
- Michael Reglein
Scrutinizing A Web-Based LLM in Private Browsing Mode: An Analysis of Memory Artifacts and Privacy Implications
Research PaperUsing web-based LLMs such as ChatGPT has changed the web browsing landscape to become part of the typical everyday experience.
- 7 Nov 2025
- Chris Kosmas
Adversary-Aware IOC Retention: Analyzing Time-to-Live Patterns by Threat Actor Attribution
Research PaperAfter analyzing hundreds of IOCs across three unique Advanced Persistent Threats (APTs) from disparate regions, it can be confirmed that not only do threat actors cycle their IOCs at different rates, but those rates can be tracked. This paper introduces an enhanced decay model incorporating a threat actor variable that accounts for these differences in sophistication and hygiene.
- 23 Oct 2025
- Nathaniel Jakusz
Breaking Time: Methods, Artifacts, and Forensic Detection of Timestomping on FAT32, Ext3, and Ext4 File Systems
Research PaperThis paper explores the diverse methods used to timestomp files on FAT, Ext3, and Ext4 file systems, focusing on how adversaries adapt their approaches based on available system access and permissions.
- 23 Oct 2025
- Allan Kroll
Breaking Through Deception: Addressing Barriers in the Adoption of Cyber Deception Technologies
Research PaperDespite the increasing sophistication of cyber threats and the need for organizations to employ innovative defense strategies, cyber deception technologies, tools designed to mislead attackers and gain a defensive advantage, remain significantly underutilized across organizational cybersecurity programs.
- 23 Oct 2025
- Dakota Campbell
Forensic Investigation of Bluetooth-Based Credit Card Skimmers
Research PaperHidden Bluetooth Low Energy (BLE) credit skimmers are a growing threat to credit card fraud. Criminals can set up practical and inexpensive systems built on top of modules, such as the HM-19, to collect and transmit stolen data covertly across wireless channels.
- 3 Sep 2025
- John Passaro
Beneath the Mask: Can Contribution Data Unveil Malicious Personas in Open-Source Projects?
Research PaperIn February 2024, after building trust over two years with project maintainers by making a significant volume of legitimate contributions, GitHub user "JiaT75" self-merged a version of the XZ Utils project containing a highly sophisticated well-disguised backdoor targeting sshd processes running on systems with the backdoored package installed.
- 13 May 2025
- SANS Institute
Catching the Hand in the Cookie Jar: Canary Session Cookies
Research PaperThis project demonstrates how even applications secured with MFA are still vulnerable to hijacked session cookies. Given the persistent threats posed to organizations by stolen authentication cookies, this research proposes implementing Canary session cookies to detect the theft and malicious use of credentials.
- 17 Apr 2025
- Caleb Patten
A Pebble In the Ocean: Maximizing Log Fidelity In Container Environments
Research PaperLog fidelity is crucial for Incident Response Teams to investigate and contain cyber incidents but can be difficult to optimize in containerized environments.
- 17 Apr 2025
- Zach Salva
Beyond Detection: Using Real Phishing Data to Gauge Security Training Program Success
Research PaperThis paper defines one method of network security monitoring in an organization to find these existing indicators.
- 7 Jan 2025
- Cory Keller
Hunting the Hound of Hades: Kerberos Delegation Attacks, Detections and Defenses
Research PaperWhen misconfigured, Kerberos delegation in an Active Directory environment can lead to complete domain compromise.
- 23 Dec 2024
- Ben Boyle
Rapid Incident Response on macOS: Actionable Insights in Under an Hour
Research PaperThe increasing use of macOS in enterprises requires fast, effective incident response (IR)...
- 5 Dec 2024
- Douglas Hitchen
Cheap Malware Calls for Cheap Defense: Shellcode and Defense Tools on an SMB Security Budget
Research PaperThis research will examine the varieties of free and open-source tooling available for...
- 16 Aug 2024
- Bryan Buckman
