1. Home
  2. ATT&CK Techniques
  3. T1189 Drive-by Compromise

T1189 Drive-by Compromise Mappings

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.

Multiple ways of delivering exploit code to a browser exist, including:

  • A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.
  • Malicious ads are paid for and served through legitimate ad providers.
  • Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).

Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)

Typical drive-by compromise process:

  1. A user visits a website that is used to host the adversary controlled content.
  2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.
    • The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.
  3. Upon finding a vulnerable version, exploit code is delivered to the browser.
  4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.
    • In some cases a second visit to the website after the initial scan is required before exploit code is delivered.

Unlike Exploit Public-Facing Application, the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.

Adversaries may also use compromised websites to deliver a user to a malicious application designed to Steal Application Access Tokens, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-4 Information Flow Enforcement Protects T1189 Drive-by Compromise
AC-6 Least Privilege Protects T1189 Drive-by Compromise
CA-7 Continuous Monitoring Protects T1189 Drive-by Compromise
CM-2 Baseline Configuration Protects T1189 Drive-by Compromise
CM-6 Configuration Settings Protects T1189 Drive-by Compromise
CM-8 System Component Inventory Protects T1189 Drive-by Compromise
SA-22 Unsupported System Components Protects T1189 Drive-by Compromise
SC-18 Mobile Code Protects T1189 Drive-by Compromise
SC-2 Separation of System and User Functionality Protects T1189 Drive-by Compromise
SC-29 Heterogeneity Protects T1189 Drive-by Compromise
SC-3 Security Function Isolation Protects T1189 Drive-by Compromise
SC-30 Concealment and Misdirection Protects T1189 Drive-by Compromise
SC-39 Process Isolation Protects T1189 Drive-by Compromise
SC-7 Boundary Protection Protects T1189 Drive-by Compromise
SI-2 Flaw Remediation Protects T1189 Drive-by Compromise
SI-3 Malicious Code Protection Protects T1189 Drive-by Compromise
SI-4 System Monitoring Protects T1189 Drive-by Compromise
SI-7 Software, Firmware, and Information Integrity Protects T1189 Drive-by Compromise
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1189 Drive-by Compromise
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
  1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows
azure_automation_update_management Azure Automation Update Management technique_scores T1189 Drive-by Compromise
Comments
This control protects against a subset of drive-by methods that leverage unpatched client software since it enables automated updates of software and rapid configuration change management
References
  1. https://docs.microsoft.com/en-us/azure/automation/update-management/overview
azure_defender_for_app_service Azure Defender for App Service technique_scores T1189 Drive-by Compromise
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode injected into browser or other process memory as part of a drive-by attack. Detection is periodic at an unknown rate.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
  2. https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction
  3. https://azure.microsoft.com/en-us/services/app-service/
  4. https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction
cloud_app_security_policies Cloud App Security Policies technique_scores T1189 Drive-by Compromise
Comments
This control can detect outdated client browser software, which is a common target of exploitation in drive-by compromises.
References
  1. https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery
  2. https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection
  3. https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
integrated_vulnerability_scanner_powered_by_qualys Integrated Vulnerability Scanner Powered by Qualys technique_scores T1189 Drive-by Compromise
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm
  2. https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm