Esc
Drive-by Compromise - T1189
(ATT&CK® Technique)
Definition
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1189["Drive-by Compromise"] --> |modifies| ProcessSegment["Process Segment"]; class T1189 OffensiveTechniqueNode; class ProcessSegment ArtifactNode; click ProcessSegment href "/dao/artifact/d3f:ProcessSegment"; click T1189 href "/offensive-technique/attack/T1189/"; click ProcessSegment href "/dao/artifact/d3f:ProcessSegment"; T1189["Drive-by Compromise"] --> |produces| URL["URL"]; class T1189 OffensiveTechniqueNode; class URL ArtifactNode; click URL href "/dao/artifact/d3f:URL"; click T1189 href "/offensive-technique/attack/T1189/"; click URL href "/dao/artifact/d3f:URL"; T1189["Drive-by Compromise"] --> |produces| OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; class T1189 OffensiveTechniqueNode; class OutboundInternetNetworkTraffic ArtifactNode; click OutboundInternetNetworkTraffic href "/dao/artifact/d3f:OutboundInternetNetworkTraffic"; click T1189 href "/offensive-technique/attack/T1189/"; click OutboundInternetNetworkTraffic href "/dao/artifact/d3f:OutboundInternetNetworkTraffic"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] --> | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.-> | may-detect | T1189["Drive-by Compromise"] ; class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode; class OutboundInternetNetworkTraffic ArtifactNode; click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] --> | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.-> | may-detect | T1189["Drive-by Compromise"] ; class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode; class OutboundInternetNetworkTraffic ArtifactNode; click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RelayPatternAnalysis["Relay Pattern Analysis"] --> | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; RelayPatternAnalysis["Relay Pattern Analysis"] -.-> | may-detect | T1189["Drive-by Compromise"] ; class RelayPatternAnalysis DefensiveTechniqueNode; class OutboundInternetNetworkTraffic ArtifactNode; click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] --> | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.-> | may-detect | T1189["Drive-by Compromise"] ; class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode; class OutboundInternetNetworkTraffic ArtifactNode; click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] --> | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; Client-serverPayloadProfiling["Client-server Payload Profiling"] -.-> | may-detect | T1189["Drive-by Compromise"] ; class Client-serverPayloadProfiling DefensiveTechniqueNode; class OutboundInternetNetworkTraffic ArtifactNode; click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] --> | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.-> | may-detect | T1189["Drive-by Compromise"] ; class NetworkTrafficCommunityDeviation DefensiveTechniqueNode; class OutboundInternetNetworkTraffic ArtifactNode; click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] --> | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.-> | may-detect | T1189["Drive-by Compromise"] ; class RemoteTerminalSessionDetection DefensiveTechniqueNode; class OutboundInternetNetworkTraffic ArtifactNode; click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; HomoglyphDetection["Homoglyph Detection"] --> | analyzes | URL["URL"]; HomoglyphDetection["Homoglyph Detection"] -.-> | may-detect | T1189["Drive-by Compromise"] ; class HomoglyphDetection DefensiveTechniqueNode; class URL ArtifactNode; click HomoglyphDetection href "/technique/d3f:HomoglyphDetection"; IdentifierActivityAnalysis["Identifier Activity Analysis"] --> | analyzes | URL["URL"]; IdentifierActivityAnalysis["Identifier Activity Analysis"] -.-> | may-detect | T1189["Drive-by Compromise"] ; class IdentifierActivityAnalysis DefensiveTechniqueNode; class URL ArtifactNode; click IdentifierActivityAnalysis href "/technique/d3f:IdentifierActivityAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] --> | filters | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; NetworkTrafficFiltering["Network Traffic Filtering"] -.-> | may-isolate | T1189["Drive-by Compromise"] ; class NetworkTrafficFiltering DefensiveTechniqueNode; class OutboundInternetNetworkTraffic ArtifactNode; click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] --> | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.-> | may-detect | T1189["Drive-by Compromise"] ; class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode; class OutboundInternetNetworkTraffic ArtifactNode; click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; URLAnalysis["URL Analysis"] --> | analyzes | URL["URL"]; URLAnalysis["URL Analysis"] -.-> | may-detect | T1189["Drive-by Compromise"] ; class URLAnalysis DefensiveTechniqueNode; class URL ArtifactNode; click URLAnalysis href "/technique/d3f:URLAnalysis"; ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] --> | neutralizes | ProcessSegment["Process Segment"]; ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -.-> | may-harden | T1189["Drive-by Compromise"] ; class ProcessSegmentExecutionPrevention DefensiveTechniqueNode; class ProcessSegment ArtifactNode; click ProcessSegmentExecutionPrevention href "/technique/d3f:ProcessSegmentExecutionPrevention"; SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] --> | obfuscates | ProcessSegment["Process Segment"]; SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -.-> | may-harden | T1189["Drive-by Compromise"] ; class SegmentAddressOffsetRandomization DefensiveTechniqueNode; class ProcessSegment ArtifactNode; click SegmentAddressOffsetRandomization href "/technique/d3f:SegmentAddressOffsetRandomization"; URLReputationAnalysis["URL Reputation Analysis"] --> | analyzes | URL["URL"]; URLReputationAnalysis["URL Reputation Analysis"] -.-> | may-detect | T1189["Drive-by Compromise"] ; class URLReputationAnalysis DefensiveTechniqueNode; class URL ArtifactNode; click URLReputationAnalysis href "/technique/d3f:URLReputationAnalysis"; OutboundTrafficFiltering["Outbound Traffic Filtering"] --> | filters | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; OutboundTrafficFiltering["Outbound Traffic Filtering"] -.-> | may-isolate | T1189["Drive-by Compromise"] ; class OutboundTrafficFiltering DefensiveTechniqueNode; class OutboundInternetNetworkTraffic ArtifactNode; click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";