Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.
Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:
Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)
Typical drive-by compromise process:
Unlike Exploit Public-Facing Application, the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.
Adversaries may also use compromised websites to deliver a user to a malicious application designed to Steal Application Access Tokens, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1189 | Drive-by Compromise |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1189 | Drive-by Compromise |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, ensure all browsers and plugins are kept updated to help prevent the exploit phase of Drive-by Compromise.
References
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1189 | Drive-by Compromise |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1189 | Drive-by Compromise |
Comments
This diagnostic statement helps mitigate drive-by compromise through the implementation of tools and measures such as adblockers to prevent and block malicious code execution and script blocking extensions to block execution of scripts.
References
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1189 | Drive-by Compromise |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to the Drive-By-Compromise, browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. Other types of virtualization and application micro-segmentation may also mitigate the impact of client-side exploitation from the virtualized machine.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.vector.Web application - drive-by | Web via auto-executed or "drive-by" infection. Child of 'Web application'. | related-to | T1189 | Drive-by Compromise | |
| action.social.vector.Web application | Web application | related-to | T1189 | Drive-by Compromise |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| devops_security | Microsoft Defender for Cloud: DevOps Security | technique_scores | T1189 | Drive-by Compromise |
Comments
This capability can protect against drive by compromise by ensuring application security is baked into DevOps.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1189 | Drive-by Compromise |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1189 | Drive-by Compromise |
Comments
This capability can detect suspicious script execution over a network.
References
|
| azure_update_manager | Azure Update Manager | technique_scores | T1189 | Drive-by Compromise |
Comments
This control protects against a subset of drive-by methods that leverage unpatched client software since it enables automated updates of software and rapid configuration change management
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1189 | Drive-by Compromise |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode injected into browser or other process memory as part of a drive-by attack. Detection is periodic at an unknown rate.
References
|
| vulnerability_management | Microsoft Defender for Cloud: Vulnerability Management | technique_scores | T1189 | Drive-by Compromise |
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| chrome_enterprise_premium | Chrome Enterprise Premium | technique_scores | T1189 | Drive-by Compromise |
Comments
Chrome Enterprise Premium offers sadditional protections against compromised websites by including features like URL filtering, threat detection, and data loss prevention (DLP) controls.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1189 | Drive-by Compromise |
Comments
There is a GuardDuty Finding that flags this behavior: Trojan:EC2/DriveBySourceTraffic!DNS
References
|
| amazon_inspector | Amazon Inspector | technique_scores | T1189 | Drive-by Compromise |
Comments
Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for "Enable Address Space Layout Randomization (ASLR)" and "Enable Data Execution Prevention (DEP)" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
| aws_web_application_firewall | AWS Web Application Firewall | technique_scores | T1189 | Drive-by Compromise |
Comments
AWS WAF protects against drive-by compromises by blocking malicious traffic that contains cross-site scripting patterns with the following rule set.
AWSManagedRulesCommonRuleSet
This is scored as Significant because the rule set is broadly applicable to web applications and blocks the malicious traffic in near real-time.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1189 | Drive-by Compromise |
Comments
This control can detect outdated client browser software, which is a common target of exploitation in drive-by compromises.
References
|
| DEF-SSCO-E3 | Secure Score | Technique Scores | T1189 | Drive-by Compromise |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
| DEF-AIR-E5 | Automated Investigation and Response | Technique Scores | T1189 | Drive-by Compromise |
Comments
Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.
AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.
Required licenses
E5 or Microsoft Defender for Office 365 Plan 2 licenses.
References
|
| DEF-ATH-E5 | Advanced Threat Hunting | Technique Scores | T1189 | Drive-by Compromise |
Comments
Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.
Advanced Threat Hunting Detects Drive-by-Compromise attacks due to the UrlClickEvents table in the advanced hunting schema which contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps which can inspect URLs for potentially known-bad domains or parameters.
License Requirements:
Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2
References
|
| DEF-SIMT-E5 | ATT&CK Simulation Training | Technique Scores | T1189 | Drive-by Compromise |
Comments
M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities.
The following social engineering techniques are available:
Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.
Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.
Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.
Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.
Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.
OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.
License Requirements:
Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.
References
|
| DEF-SIMT-E5 | ATT&CK Simulation Training | Technique Scores | T1189 | Drive-by Compromise |
Comments
M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities.
The following social engineering techniques are available:
Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.
Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.
Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.
Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.
Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.
OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.
License Requirements:
Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.
References
|
| DEF-PSP-E3 | Preset Security Policies | Technique Scores | T1189 | Drive-by Compromise |
Comments
M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions.
Preset Security Policies Detects Drive-by-Compromise attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checking the URL's before opening the websites. You can add entries to the existing policies or configure different lists in different Safe Links policies to determine if certain websites are necessary for business operations. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open.
License Requirements:
Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR
References
|
| DEF-THEX-E5 | Threat Explorer | Technique Scores | T1189 | Drive-by Compromise |
Comments
Threat Explorer helps your security operations team investigate and respond to threats efficiently. With these tools, you can: See malware detected by Microsoft 365 security features, View phishing URL and click verdict data, Start an automated investigation and response process from a view in Explorer, Investigate malicious email, and more.
Threat Explorer Detects Drive-by-Compromise attacks by their dashboard capturing and enabling the user to view phishing attempts, including a list of URLs that were allowed, blocked, and overridden. With an organization blocking URL's for users, it mitigates users visiting a website that is used to host the adversary controlled content.
License Requirements:
Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR
References
|
| DEF-TPSR-E3 | Threat Protection Status Report | Technique Scores | T1189 | Drive-by Compromise |
Comments
Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. The report provides the count of email messages with malicious content. For example: Files or website addresses (URLs) that were blocked by the anti-malware engine, Files or messages affected by zero-hour auto purge (ZAP), Files or messages that were blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies.
Threat Protection Status Report Detects Drive-by-Compromise attacks by the report capturing and displaying files or messages that were blocked by Safe Links, Safe Attachments, and impersonation protection features in phishing policies. With an organization filtering URL's for users, it mitigates users visiting a website that is used to host the adversary controlled content.
License Requirements:
Exchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR
References
|