1. Home
  2. Techniques
  3. Mobile
  4. Drive-by Compromise

Drive-by Compromise

As described by Drive-by Compromise, a drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. For example, a website may contain malicious media content intended to exploit vulnerabilities in media parsers as demonstrated by the Android Stagefright vulnerability [1].

(This technique was formerly known as Malicious Web Content. It has been renamed to better align with ATT&CK for Enterprise.)

ID: T1456
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Initial Access
Platforms: Android, iOS
MTC ID: CEL-22
Version: 1.0
Created: 25 October 2017
Last Modified: 17 October 2018

Procedure Examples

ID Name Description
S0463 INSOMNIA

INSOMNIA has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.[2]
S0289 Pegasus for iOS

Pegasus for iOS was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.[3]
S0328 Stealth Mango

Stealth Mango is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.[4]

Mitigations

ID Mitigation Description
M1001 Security Updates
M1006 Use Recent OS Version

References

  1. Zimperium. (2015, January 27). Experts Found a Unicorn in the Heart of Android. Retrieved December 23, 2016.
  2. A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.
  1. Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.
  2. Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.