The sub-techniques beta is now live! Read the release blog post for more info.

Drive-by Compromise

As described by Drive-by Compromise, a drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. For example, a website may contain malicious media content intended to exploit vulnerabilities in media parsers as demonstrated by the Android Stagefright vulnerability [1].

(This technique was formerly known as Malicious Web Content. It has been renamed to better align with ATT&CK for Enterprise.)

ID: T1456
Tactic Type: Post-Adversary Device Access
Tactic: Initial Access
Platform: Android, iOS
MTC ID: CEL-22
Version: 1.0
Created: 25 October 2017
Last Modified: 17 October 2018

Procedure Examples

Name Description
Pegasus for iOS

Pegasus for iOS was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.[3]

Stealth Mango

Stealth Mango is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.[2]

Mitigations

Mitigation Description
Security Updates
Use Recent OS Version

References