Skip to content

T1608.004 Drive-by Target

Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in Drive-by Compromise. In such cases, the user’s web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as Application Access Token. Prior to Drive-by Compromise, adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired (Acquire Infrastructure) or previously compromised (Compromise Infrastructure).

Adversaries may upload or inject malicious web content, such as JavaScript, into websites.32 This may be done in a number of ways, including:

  • Inserting malicious scripts into web pages or other user controllable web content such as forum posts
  • Modifying script files served to websites from publicly writeable cloud storage buckets
  • Crafting malicious web advertisements and purchasing ad space on a website through legitimate ad providers (i.e., Malvertising)

In addition to staging content to exploit a user’s web browser, adversaries may also stage scripting content to profile the user’s browser (as in Gather Victim Host Information) to ensure it is vulnerable prior to attempting exploitation.1

Websites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack.

Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure (Domains) to help facilitate Drive-by Compromise.

Item Value
ID T1608.004
Sub-techniques T1608.001, T1608.002, T1608.003, T1608.004, T1608.005, T1608.006
Tactics TA0042
Platforms PRE
Version 1.3
Created 17 March 2021
Last Modified 15 April 2023

Procedure Examples

ID Name Description
G0050 APT32 APT32 has stood up websites containing numerous articles and content scraped from the Internet to make them appear legitimate, but some of these pages include malicious JavaScript to profile the potential victim or infect them via a fake software update.6
C0010 C0010 For C0010, the threat actors compromised the login page of a legitimate Israeli shipping company and likely established a watering hole that collected visitor information.10
G0035 Dragonfly Dragonfly has compromised websites to redirect traffic and to host exploit kits.4
G1014 LuminousMoth LuminousMoth has redirected compromised machines to an actor-controlled webpage through HTML injection.5
G0027 Threat Group-3390 Threat Group-3390 has embedded malicious code into websites to screen a potential victim’s IP address and then exploit their browser if they are of interest.2
G0134 Transparent Tribe Transparent Tribe has set up websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.789


ID Mitigation Description
M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.


ID Data Source Data Component
DS0035 Internet Scan Response Content