Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.
Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:
Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)
Typical drive-by compromise process:
Unlike Exploit Public-Facing Application, the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.
Adversaries may also use compromised websites to deliver a user to a malicious application designed to Steal Application Access Tokens, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-vt | Intel Virtualization Technology | Win 11, HWESP | T1189 | Drive-by Compromise |
Comments
HW Enforced stack protection (HWESP) relies on Virtualization Based Security (VBS) which use Intel PTT, Intel VT-x, Intel VT-d and Intel BootGuard to ensure the OS components loaded are not tampered with and isolate security sensitive processes. Additionally, it uses Intel Control Flow Enforcement Technology (Intel CET) to allow hardware to ensure that sensitive areas in the regions of memory (such as the stack) for processes are not tampered with by either injecting code or changing the control flow of the code or both.
HWESP includes four components Code Integrity Guard, Arbitrary Code Guard, Control Flow Guard and Shadow Stack protections.
Code Integrity Guard attempts to prevent "... arbitrary code generation by enforcing signature requirements for loading binaries".
Arbitrary Code Guard attempts to ensure "... signed pages are immutable and dynamic code cannot be generated ...".
Control Flow Guard ensures control flow integrity by enforcing "... integrity on indirect calls (forward-edge CFI)."
Shadow Stack ensures control flow integrity by enforcing "... integrity on return addresses on the stack (backward-edge CFI)."
Together these features aim to ensure integrity of binary images run on Windows 11 and prevent dynamic code from running or changing the control flow of the code. Since these features offer real-time protection for sensitive regions of memory, these are marked as offering significant protection.
References
|
| intel-pt | Intel Process Trace | Crowdstrike HEED | T1189 | Drive-by Compromise |
Comments
CrowdStrike Falcon Hardware Enhanced Exploit Detection (HEED) is an advanced security feature that integrates Intel Processor Trace (Intel PT) technology to provide enhanced visibility into sophisticated attack techniques, including real-time detection of drive-by compromise exploits. These attacks typically involve adversaries exploiting vulnerabilities in web browsers or third-party applications to automatically execute malicious code when a user visits a compromised website, allowing attackers to manipulate system behavior and gain unauthorized access.
Intel PT offers deep insights into program execution at the hardware level, capturing critical telemetry such as control flow, memory access, and instruction execution in real time. This telemetry helps security teams detect abnormal behaviors, such as suspicious code execution flows or unexpected interactions triggered by malicious websites. By monitoring these low-level activities, HEED makes it easier to identify exploitation attempts often used in drive-by compromises to deploy malware or hijack legitimate processes.
By combining Intel PT’s granular telemetry with advanced detection algorithms, HEED provides a powerful defense against evasive drive-by compromise attacks that may bypass traditional security measures. This proactive approach enables organizations to quickly identify and mitigate exploits delivered through compromised websites, strengthening the protection of critical systems and reducing the risk of compromise from advanced, targeted cyber threats.
References
|