T1456 Drive-by Compromise
As described by Drive-by Compromise, a drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user’s web browser is targeted for exploitation. For example, a website may contain malicious media content intended to exploit vulnerabilities in media parsers as demonstrated by the Android Stagefright vulnerability 1.
(This technique was formerly known as Malicious Web Content. It has been renamed to better align with ATT&CK for Enterprise.)
| Item | Value |
|---|---|
| ID | T1456 |
| Sub-techniques | |
| Tactics | TA0027 |
| Platforms | Android, iOS |
| Version | 1.0 |
| Created | 25 October 2017 |
| Last Modified | 17 October 2018 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0463 | INSOMNIA | INSOMNIA has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.4 |
| S0289 | Pegasus for iOS | Pegasus for iOS was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.3 |
| S0328 | Stealth Mango | Stealth Mango is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.2 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1001 | Security Updates | - |
| M1006 | Use Recent OS Version | - |
References
-
Zimperium. (2015, January 27). Experts Found a Unicorn in the Heart of Android. Retrieved December 23, 2016. ↩
-
Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018. ↩
-
Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016. ↩
-
A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020. ↩