1. Home
  2. ATT&CK Techniques
  3. T1189 Drive-by Compromise

T1189 Drive-by Compromise Mappings

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.

Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:

  • A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting
  • Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary
  • Malicious ads are paid for and served through legitimate ad providers (i.e., Malvertising)
  • Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).

Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)

Typical drive-by compromise process:

  1. A user visits a website that is used to host the adversary controlled content.
  2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.
    • The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.
  3. Upon finding a vulnerable version, exploit code is delivered to the browser.
  4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.
    • In some cases a second visit to the website after the initial scan is required before exploit code is delivered.

Unlike Exploit Public-Facing Application, the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.

Adversaries may also use compromised websites to deliver a user to a malicious application designed to Steal Application Access Tokens, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)

View in MITRE ATT&CK®

Intel vPro Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
intel-vt Intel Virtualization Technology Win 11, HWESP T1189 Drive-by Compromise
Comments
HW Enforced stack protection (HWESP) relies on Virtualization Based Security (VBS) which use Intel PTT, Intel VT-x, Intel VT-d and Intel BootGuard to ensure the OS components loaded are not tampered with and isolate security sensitive processes. Additionally, it uses Intel Control Flow Enforcement Technology (Intel CET) to allow hardware to ensure that sensitive areas in the regions of memory (such as the stack) for processes are not tampered with by either injecting code or changing the control flow of the code or both. HWESP includes four components Code Integrity Guard, Arbitrary Code Guard, Control Flow Guard and Shadow Stack protections. Code Integrity Guard attempts to prevent "... arbitrary code generation by enforcing signature requirements for loading binaries". Arbitrary Code Guard attempts to ensure "... signed pages are immutable and dynamic code cannot be generated ...". Control Flow Guard ensures control flow integrity by enforcing "... integrity on indirect calls (forward-edge CFI)." Shadow Stack ensures control flow integrity by enforcing "... integrity on return addresses on the stack (backward-edge CFI)." Together these features aim to ensure integrity of binary images run on Windows 11 and prevent dynamic code from running or changing the control flow of the code. Since these features offer real-time protection for sensitive regions of memory, these are marked as offering significant protection.
References
  1. https://www.intel.com/content/www/us/en/developer/articles/technical/technical-look-control-flow-enforcement-technology.html
  2. https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815
  3. https://techcommunity.microsoft.com/t5/windows-os-platform-blog/developer-guidance-for-hardware-enforced-stack-protection/ba-p/2163340
  4. https://www.intel.com/content/dam/develop/external/us/en/documents/catc17-introduction-intel-cet-844137.pdf
  5. https://www.intel.com/content/dam/www/central-libraries/us/en/documents/white-paper-intel-hardware-shield.pdf
intel-pt Intel Processor Trace Crowdstrike HEED T1189 Drive-by Compromise
Comments
CrowdStrike Falcon Hardware Enhanced Exploit Detection (HEED) is an advanced security feature that integrates Intel Processor Trace (Intel PT) technology to provide enhanced visibility into sophisticated attack techniques, including real-time detection of drive-by compromise exploits. These attacks typically involve adversaries exploiting vulnerabilities in web browsers or third-party applications to automatically execute malicious code when a user visits a compromised website, allowing attackers to manipulate system behavior and gain unauthorized access. Intel PT offers deep insights into program execution at the hardware level, capturing critical telemetry such as control flow, memory access, and instruction execution in real time. This telemetry helps security teams detect abnormal behaviors, such as suspicious code execution flows or unexpected interactions triggered by malicious websites. By monitoring these low-level activities, HEED makes it easier to identify exploitation attempts often used in drive-by compromises to deploy malware or hijack legitimate processes. By combining Intel PT’s granular telemetry with advanced detection algorithms, HEED provides a powerful defense against evasive drive-by compromise attacks that may bypass traditional security measures. This proactive approach enables organizations to quickly identify and mitigate exploits delivered through compromised websites, strengthening the protection of critical systems and reducing the risk of compromise from advanced, targeted cyber threats.
References
  1. https://www.intel.com/content/www/us/en/it-management/intel-it-best-practices/advancing-intels-security-posture-with-crowdstrike.html
  2. https://www.intel.com/content/dam/develop/external/us/en/documents/catc17-introduction-intel-cet-844137.pdf
  3. https://www.intel.com/content/dam/www/central-libraries/us/en/documents/2022-09/intel-crowdstrike-solution-brief.pdf

Known Exploited Vulnerabilities Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2015-0313 Adobe Flash Player Use-After-Free Vulnerability exploitation_technique T1189 Drive-by Compromise
Comments
This use-after-free vulnerability is exploited in-the-wild by drive-by-download.
References
  1. https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
CVE-2024-5274 Google Chromium V8 Type Confusion Vulnerability exploitation_technique T1189 Drive-by Compromise
Comments
This vulnerability is exploited by the hosting of malicious content on a website. Adversaries use this to deliver an information-stealing payload within Chrome.
References
  1. https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/
CVE-2016-1019 Adobe Flash Player Arbitrary Code Execution Vulnerability exploitation_technique T1189 Drive-by Compromise
Comments
This vulnerability is exploited by taking advantage of a flaw of Adobe Flash embedded within browsers. In the wild, threat actors have been seen using a browser-based exploit kit to initiate a drive-by compromise of the exploit. After exploit, adversaries can install their own malware or specifically ransomware.
References
  1. https://securityaffairs.com/46107/malware/adobe-fixes-cve-2016-1019.html
  2. https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg
CVE-2010-0188 Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability exploitation_technique T1189 Drive-by Compromise
Comments
This vulnerability is exploited via drive-by download. Malicious software is this downloaded on the target machine.
References
  1. https://www.f-secure.com/v-descs/exploit-w32-cve-2010-0188-b.shtml
CVE-2016-7855 Adobe Flash Player Use-After-Free Vulnerability exploitation_technique T1189 Drive-by Compromise
Comments
This vulnerability is exploited by having users visit a maliciously website.
References
  1. https://exchange.xforce.ibmcloud.com/vulnerabilities/118281
CVE-2010-1297 Adobe Flash Player Memory Corruption Vulnerability exploitation_technique T1189 Drive-by Compromise
Comments
This vulnerability is exploited by crafted swf content via drive-by compromise when a user visits a malicious website. This vulnerability is also exploited via user execution of a maliciously crafted pdf file. In the wild, threat actors have used this to download malicious software onto the target system.
References
  1. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:SWF/CVE-2010-1297.A
CVE-2012-5054 Adobe Flash Player Integer Overflow Vulnerability exploitation_technique T1189 Drive-by Compromise
Comments
This vulnerability can be exploited by a malicioiusly-crafted webpage via drive-by compromise.
References
  1. https://packetstormsecurity.com/files/116435/Adobe-Flash-Player-Matrix3D-Integer-Overflow-Code-Execution.html
CVE-2014-8439 Adobe Flash Player Dereferenced Pointer Vulnerability exploitation_technique T1189 Drive-by Compromise
Comments
This vulnerability is exploited with maliciously-crafted code hosted on a webpage via drive-by compromise.
References
  1. https://exchange.xforce.ibmcloud.com/vulnerabilities/98932
  2. https://thehackernews.com/2014/11/adobe-flash-player-update.html
  3. https://securityaffairs.com/30552/security/adobe-issued-band-flash-player-update-cve-2014-8439.html
CVE-2015-8651 Adobe Flash Player Integer Overflow Vulnerability exploitation_technique T1189 Drive-by Compromise
Comments
This vulnerability is exploited with maliciously-crafted code hosted on a website via drive-by compromise. It has been seen used in the wild by exploit kits whose goal is frequently to load ransomware onto the target machine.
References
  1. https://blogs.quickheal.com/anatomy-flash-exploit-cve-2015-8651-integrated-rig-exploit-kit/
CVE-2015-0310 Adobe Flash Player ASLR Bypass Vulnerability exploitation_technique T1189 Drive-by Compromise
Comments
This vulnerability is exploited with maliciously-crafted code hosted on a website via drive-by compromise. It has been seen used in the wild by exploit kits.
References
  1. https://www.zero-day.cz/database/172/
CVE-2012-2034 Adobe Flash Player Memory Corruption Vulnerability exploitation_technique T1189 Drive-by Compromise
Comments
This vulnerability is exploited by a maliciously-crafted .swf via drive-by compromise.
References
  1. https://www.mycert.org.my/portal/advisory?id=MA-315.062012
CVE-2015-3043 Adobe Flash Player Memory Corruption Vulnerability exploitation_technique T1189 Drive-by Compromise
Comments
This vulnerability is exploited by a maliciously-crafted .swf file which can be run on a user system via drive-by compromise.
References
    CVE-2024-38112 Microsoft Windows MSHTML Platform Spoofing Vulnerability exploitation_technique T1189 Drive-by Compromise
    Comments
    This vulnerability is exploited through a victim visiting a malicious Web page or to clicking on an unsafe link. After visiting the website or clicking on the link, an adversary would gain the ability to execute arbitrary code on the victim system.
    References
    1. https://www.darkreading.com/application-security/void-banshee-exploits-second-microsoft-zero-day
    CVE-2024-4671 Google Chromium Visuals Use-After-Free Vulnerability exploitation_technique T1189 Drive-by Compromise
    Comments
    CVE-2024-4671 is a use-after-free vulnerability where an adversary can perform a sandbox escape via a maliciously-crafted HTML page.
    References
    1. https://security-tracker.debian.org/tracker/CVE-2024-4671
    CVE-2024-4947 Google Chromium V8 Type Confusion Vulnerability exploitation_technique T1189 Drive-by Compromise
    Comments
    CVE-2024-4947 is a type confusion vulnerability in Chrome's V8 JavaScript engine. Adversaries have been observed exploiting this vulnerability by hosting a web-based game on a site that triggered the vulnerability and executed arbitrary code. Adversaries promoted the game on social media and through emails.
    References
    1. https://socradar.io/lazarus-exploits-google-chrome-zero-day-to-steal-cryptocurrency-in-detankzone-campaign-cve-2024-4947/
    CVE-2023-43770 Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability exploitation_technique T1189 Drive-by Compromise
    Comments
    This vulnerability is exploited by an adversary via malicious links embedded in trustworthy websites to infiltrate victim systems. Successful exploitation grants the adversary the ability to execute arbitrary code on the impacted system. The Russia-aligned hacking group TAG-70 has been attributed to exploiting this vulnerability. TAG-70 has used this vulnerability in an espionage campaign targeting European government and military agencies, as well as Iranian embassies in Russia, aiming to gather intelligence on European political and military activities. The campaign, active from early to mid-October 2023, is part of a broader pattern of Russian state-aligned cyber-espionage targeting email services.
    References
    1. https://hivepro.com/wp-content/uploads/2024/02/Roundcube-Webmail-Faces-Unrelenting-Exploitation_TA2024073.pdf?utm_sr=google&utm_cmd=organic&utm_ccn=(not%20set)&utm_ctr=(not%20provided)
    2. https://therecord.media/russia-aligned-hackers-target-european-and-iranian-embassies-cyber-espionage
    CVE-2023-7024 Google Chromium WebRTC Heap Buffer Overflow Vulnerability exploitation_technique T1189 Drive-by Compromise
    Comments
    This heap buffer overflow vulnerability is exploited by a remote attacker via a crafted HTML page. This vulnerability has been leveraged by the NSO group to enable remote code execution within a browser's WebRTC component to install the spyware Pegasus on victim endpoints.
    References
    1. https://thehackernews.com/2024/02/global-coalition-and-tech-giants-unite.html
    2. https://www.darkreading.com/cloud-security/google-eighth-zero-day-patch-2023-chrome