Description
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:
A legitimate website is compromised, allowing adversaries to inject malicious code Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary Malicious ads are paid for and served through legitimate ad providers (i.e., Malvertising) Built-in web application interfaces that allow user-controllable content are leveraged for the insertion of malicious scripts or iFrames (e.g., cross-site scripting)
Browser push notifications may also be abused by adversaries and leveraged for malicious code injection via User Execution. By clicking "allow" on browser push notifications, users may be granting a website permission to run JavaScript code on their browser.(Citation: Push notifications - viruspositive)(Citation: push notification -mcafee)(Citation: push notifications - malwarebytes)
Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or a particular region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)
Typical drive-by compromise process:
1. A user visits a website that is used to host the adversary controlled content. 2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. The user may be required to assist in this process by enabling scripting, notifications, or active website components and ignoring warning dialog boxes. 3. Upon finding a vulnerable version, exploit code is delivered to the browser. 4. If exploitation is successful, the adversary will gain code execution on the user's system unless other protections are in place. In some cases, a second visit to the website after the initial scan is required before exploit code is delivered.
Unlike Exploit Public-Facing Application, the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.
Platforms
Mitigations (5)
Exploit ProtectionM1050
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior.(Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring.(Citation: Wikipedia Contr
Update SoftwareM1051
Ensuring that all browsers and plugins are kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on.(Citation: Browser-updates)
Application Isolation and SandboxingM1048
Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.(Citation: Windows Blogs Microsoft Edge Sandbox)(Citation: Ars Technica Pwn2Own 2017 VM Escape)
Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation m
Restrict Web-Based ContentM1021
Adblockers can help prevent malicious code served through ads from executing in the first place. Script blocking extensions can also help to prevent the execution of JavaScript.
Consider disabling browser push notifications from certain applications and browsers.(Citation: mac security virus popup)(Citation: push notifications -infosecinstitute)(Citation: site notifications - krebsonsecurity)
User TrainingM1017
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
Threat Groups (31)
| ID | Group | Context |
|---|---|---|
| G0134 | Transparent Tribe | [Transparent Tribe](https://attack.mitre.org/groups/G0134) has used websites with malicious hyperlinks and iframes to infect targeted victims with [Cr... |
| G0048 | RTM | [RTM](https://attack.mitre.org/groups/G0048) has distributed its malware via the RIG and SUNDOWN exploit kits, as well as online advertising network <... |
| G0068 | PLATINUM | [PLATINUM](https://attack.mitre.org/groups/G0068) has sometimes used drive-by attacks against vulnerable browser plugins.(Citation: Microsoft PLATINUM... |
| G0112 | Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used compromised websites to register custom URL schemes on a remote system.(Citation: objectiv... |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has performed watering hole attacks.(Citation: TrendMicro EarthLusca 2022) |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has conducted watering holes schemes to gain initial access to victims.(Citation: FireEye APT38 Oct 201... |
| G0001 | Axiom | [Axiom](https://attack.mitre.org/groups/G0001) has used watering hole attacks to gain access.(Citation: Cisco Group 72) |
| G0073 | APT19 | [APT19](https://attack.mitre.org/groups/G0073) performed a watering hole attack on forbes.com in 2014 to compromise targets.(Citation: Unit 42 C0d0so0... |
| G0012 | Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) used embedded iframes on hotel login portals to redirect selected victims to download malware.(Cita... |
| G0138 | Andariel | [Andariel](https://attack.mitre.org/groups/G0138) has used watering hole attacks, often with zero-day exploits, to gain initial access to victims with... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has compromised targets via strategic web compromise utilizing custom exploit kits.(Citation: Securewor... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has compromised targets via strategic web compromise (SWC) utilizing a custom exploit kit.(Citation... |
| G0070 | Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups/G0070) leveraged a watering hole to serve up malicious code.(Citation: Lookout Dark Caracal Jan 2018) |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has infected victims using watering holes.(Citation: ESET ComRAT May 2020)(Citation: Secureworks IRON H... |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) has used watering holes to deliver files with exploits to initial victims.(Citation: Symantec Patch... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has infected victims using watering holes.(Citation: CISA AA21-200A APT40 July 2021) |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has infected victims by tricking them into visiting compromised watering hole websites.(Citation: ESET ... |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) compromised three Japanese websites using a Flash exploit to perform watering hole attacks.(Cit... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) delivered [RATANKBA](https://attack.mitre.org/software/S0241) and other malicious code to victi... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has extensively used strategic web compromises to target victims.(Citation: Dell TG-3390)(C... |
Associated Software (10)
| ID | Name | Type | Context |
|---|---|---|---|
| S0215 | KARAE | Malware | [KARAE](https://attack.mitre.org/software/S0215) was distributed through torrent file-sharing websites to South Korean victims, using a YouTube video ... |
| S0483 | IcedID | Malware | [IcedID](https://attack.mitre.org/software/S0483) has cloned legitimate websites/applications to distribute the malware.(Citation: Trendmicro_IcedID) |
| S0482 | Bundlore | Malware | [Bundlore](https://attack.mitre.org/software/S0482) has been spread through malicious advertisements on websites.(Citation: MacKeeper Bundlore Apr 201... |
| S0606 | Bad Rabbit | Malware | [Bad Rabbit](https://attack.mitre.org/software/S0606) spread through watering holes on popular sites by injecting JavaScript into the HTML body or a <... |
| S0451 | LoudMiner | Malware | [LoudMiner](https://attack.mitre.org/software/S0451) is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS... |
| S1124 | SocGholish | Malware | [SocGholish](https://attack.mitre.org/software/S1124) has been distributed through compromised websites with malicious content often masquerading as b... |
| S0496 | REvil | Malware | [REvil](https://attack.mitre.org/software/S0496) has infected victim machines through compromised websites and exploit kits.(Citation: Secureworks REv... |
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) has used compromised websites and Google Ads to bait victims into downloading its installer.(Ci... |
| S1086 | Snip3 | Malware | [Snip3](https://attack.mitre.org/software/S1086) has been delivered to targets via downloads from malicious domains.(Citation: Telefonica Snip3 Decemb... |
| S0216 | POORAIM | Malware | [POORAIM](https://attack.mitre.org/software/S0216) has been delivered through compromised sites acting as watering holes.(Citation: FireEye APT37 Feb ... |
References
- Adair, S., Moran, N. (2012, May 15). Cyber Espionage & Strategic Web Compromises – Trusted Websites Serving Dangerous Results. Retrieved March 13, 2018.
- Craig Schmugar. (2021, May 17). Scammers Impersonating Windows Defender to Push Malicious Windows Apps. Retrieved March 14, 2025.
- Gaurav Sethi. (2021, December 14). The Dark Side of Web Push Notifications. Retrieved March 14, 2025.
- Pieter Arntz. (2019, January 22). Browser push notifications: a feature asking to be abused. Retrieved March 14, 2025.
Frequently Asked Questions
What is T1189 (Drive-by Compromise)?
T1189 is a MITRE ATT&CK technique named 'Drive-by Compromise'. It belongs to the Initial Access tactic(s). Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https...
How can T1189 be detected?
Detection of T1189 (Drive-by Compromise) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1189?
There are 5 documented mitigations for T1189. Key mitigations include: Exploit Protection, Update Software, Application Isolation and Sandboxing, Restrict Web-Based Content, User Training.
Which threat groups use T1189?
Known threat groups using T1189 include: Transparent Tribe, RTM, PLATINUM, Windshift, Earth Lusca, APT38, Axiom, APT19.