Esc
Drive-by Compromise - T1189

(ATT&CK® Technique)
Definition

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1189["Drive-by Compromise"] --> |modifies| ProcessSegment["Process Segment"]; class T1189 OffensiveTechniqueNode;
        class ProcessSegment ArtifactNode; click ProcessSegment href "/dao/artifact/d3f:ProcessSegment";
        click T1189 href "/offensive-technique/attack/T1189/"; click ProcessSegment href "/dao/artifact/d3f:ProcessSegment"; T1189["Drive-by Compromise"] --> |produces| URL["URL"]; class T1189 OffensiveTechniqueNode;
        class URL ArtifactNode; click URL href "/dao/artifact/d3f:URL";
        click T1189 href "/offensive-technique/attack/T1189/"; click URL href "/dao/artifact/d3f:URL"; T1189["Drive-by Compromise"] --> |produces| OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; class T1189 OffensiveTechniqueNode;
        class OutboundInternetNetworkTraffic ArtifactNode; click OutboundInternetNetworkTraffic href "/dao/artifact/d3f:OutboundInternetNetworkTraffic";
        click T1189 href "/offensive-technique/attack/T1189/"; click OutboundInternetNetworkTraffic href "/dao/artifact/d3f:OutboundInternetNetworkTraffic";                                       PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1189["Drive-by Compromise"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1189["Drive-by Compromise"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          RelayPatternAnalysis["Relay Pattern Analysis"] -.->
            | may-detect | T1189["Drive-by Compromise"] ;
          class RelayPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis";                      NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1189["Drive-by Compromise"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis";                        Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1189["Drive-by Compromise"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1189["Drive-by Compromise"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";                             RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1189["Drive-by Compromise"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection";               HomoglyphDetection["Homoglyph Detection"] -->
          | analyzes | URL["URL"];

          HomoglyphDetection["Homoglyph Detection"] -.->
            | may-detect | T1189["Drive-by Compromise"] ;
          class HomoglyphDetection DefensiveTechniqueNode;
          class URL ArtifactNode;
          click HomoglyphDetection href "/technique/d3f:HomoglyphDetection";         IdentifierActivityAnalysis["Identifier Activity Analysis"] -->
          | analyzes | URL["URL"];

          IdentifierActivityAnalysis["Identifier Activity Analysis"] -.->
            | may-detect | T1189["Drive-by Compromise"] ;
          class IdentifierActivityAnalysis DefensiveTechniqueNode;
          class URL ArtifactNode;
          click IdentifierActivityAnalysis href "/technique/d3f:IdentifierActivityAnalysis";        NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1189["Drive-by Compromise"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1189["Drive-by Compromise"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis";                            URLAnalysis["URL Analysis"] -->
          | analyzes | URL["URL"];

          URLAnalysis["URL Analysis"] -.->
            | may-detect | T1189["Drive-by Compromise"] ;
          class URLAnalysis DefensiveTechniqueNode;
          class URL ArtifactNode;
          click URLAnalysis href "/technique/d3f:URLAnalysis";                             ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -->
          | neutralizes | ProcessSegment["Process Segment"];

          ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -.->
            | may-harden | T1189["Drive-by Compromise"] ;
          class ProcessSegmentExecutionPrevention DefensiveTechniqueNode;
          class ProcessSegment ArtifactNode;
          click ProcessSegmentExecutionPrevention href "/technique/d3f:ProcessSegmentExecutionPrevention"; SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -->
          | obfuscates | ProcessSegment["Process Segment"];

          SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -.->
            | may-harden | T1189["Drive-by Compromise"] ;
          class SegmentAddressOffsetRandomization DefensiveTechniqueNode;
          class ProcessSegment ArtifactNode;
          click SegmentAddressOffsetRandomization href "/technique/d3f:SegmentAddressOffsetRandomization";                           URLReputationAnalysis["URL Reputation Analysis"] -->
          | analyzes | URL["URL"];

          URLReputationAnalysis["URL Reputation Analysis"] -.->
            | may-detect | T1189["Drive-by Compromise"] ;
          class URLReputationAnalysis DefensiveTechniqueNode;
          class URL ArtifactNode;
          click URLReputationAnalysis href "/technique/d3f:URLReputationAnalysis";              OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
          | filters | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
            | may-isolate | T1189["Drive-by Compromise"] ;
          class OutboundTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";
json