This site has been deprecated in favor of and will remain in place until 11/1/22.

Drive-by Compromise

From attackics
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to

Drive-by Compromise
ID T0817
Tactic Initial Access
Data Sources Application Log: Application Log Content, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Process: Process Creation


Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session.With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website.

The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack.

The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors.1 Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.

Procedure Examples

  • ALLANITE leverages watering hole attacks to gain access into electric utilities.2
  • Dragonfly 2.0 utilized watering hole attacks to gather credentials, by compromising websites that energy sector organizations might access.3 A line of code is injected into the header.php file, this is used to redirect the visitors to an adversary controlled IP.1
  • Dragonfly utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver Backdoor.Oldrea or Trojan.Karagany.4
  • OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks.5
  • XENOTIME utilizes watering hole websites to target industrial employees.6
  • Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure.7


  • Exploit Protection - Utilize exploit protection to prevent activities which may be exploited through malicious web sites.
  • Update Software - Ensure all browsers and plugins are kept updated to help prevent the exploit phase of this technique. Use modern browsers with security features enabled.