Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0176: Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189)

DET0176 is a MITRE detection strategy tied to Drive-by Compromise (T1189), an initial access behavior where normal web browsing can become the entry point...

EnterpriseDET0176Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0176 is a MITRE detection strategy tied to Drive-by Compromise (T1189), an initial access behavior where normal web browsing can become the entry point into the environment. The business significance is that the first observable signs may look like routine user web activity, so coverage depends on whether web, endpoint, and identity evidence can be correlated quickly enough to distinguish compromise from ordinary browsing noise.

Executive priority

Treat this as an initial-access readiness question: can the organization prove it has visibility into browser-driven compromise paths across user endpoints and identity services? Security leaders should ask whether web filtering, endpoint detection, incident response triage, and identity monitoring produce auditable evidence for suspicious browsing-to-execution or browsing-to-authentication sequences. Because the ATT&CK object provides no official detection logic, teams should avoid assuming coverage from the strategy name alone and validate controls against local telemetry.

Technical view

The detection strategy object has no official description or detection text, but it detects T1189 Drive-by Compromise. The related technique is initial-access and lists Identity Provider, Linux, macOS, and Windows as platforms. SOC and detection engineering teams should validate behavior-based detections that connect user web activity with downstream endpoint or identity changes, such as suspicious browser child processes, unexpected file writes, exploit-like process behavior, unusual outbound connections after browsing, or identity events following a suspicious web session. IR teams should ensure triage can reconstruct the chain from visited site or served content to endpoint and account activity.

Likely telemetry

  • Web proxy, secure web gateway, DNS, URL filtering, and browser history evidence where available
  • Endpoint process creation, file creation, module load, network connection, and crash/exploit telemetry from Windows, macOS, and Linux systems
  • EDR alerts and host timelines involving browsers, document viewers, script interpreters, or unexpected child processes
  • Identity Provider sign-in, session, MFA, token, and conditional access logs where web-originated compromise may lead to account activity
  • Network traffic metadata showing connections to recently visited sites, ad/content delivery infrastructure, or unusual post-browsing destinations

Detection direction

  • Validate that detections are behavior-based and not limited to static blocklists of known malicious domains, since the related technique includes compromised legitimate websites, modified cloud-hosted scripts, and malicious ads.
  • Tune for sequences: normal browsing followed by abnormal browser behavior, unexpected child processes, downloads, persistence attempts, or suspicious identity activity.
  • Account for false positives from legitimate web applications, browser extensions, software updaters, developer tools, and advertising/content delivery infrastructure.
  • Confirm cross-platform visibility for the related technique’s listed platforms: Identity Provider, Linux, macOS, and Windows. The detection strategy object itself does not specify platforms.
  • Measure investigation usability: analysts should be able to pivot from URL/domain to endpoint process tree, user identity, timestamps, and affected assets.

Mitigation priorities

  • Prioritize layered web and endpoint controls: secure browsing controls, web filtering, endpoint protection, and rapid isolation workflows.
  • Harden browsers and endpoints through timely patching, least privilege, exploit protection, and restriction of unnecessary script or plugin behavior where operationally feasible.
  • Strengthen identity safeguards for post-compromise containment, including MFA, conditional access, session review, and rapid credential/session revocation procedures.
  • Use incident response playbooks that preserve web, endpoint, and identity evidence before it ages out.
  • For compliance readiness, document which telemetry sources support investigation of browser-originated initial access and where retention or platform gaps remain.
Analyst notes and limits

This Glexia take is based on the supplied MITRE detection strategy metadata and its relationship to T1189 Drive-by Compromise. The object name indicates a behavior-based, multi-platform detection strategy, but the official description, detection text, tactics, and platforms for the detection strategy itself are not provided. Practical validation should therefore be performed against the related T1189 context and the organization’s own telemetry.

No official detection logic, analytic rules, data components, mitigations, or procedure examples were supplied for DET0176. The related T1189 description is also truncated in the provided source text. Conclusions are limited to conservative defensive planning and validation guidance, not claims of active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1189 Drive-by Compromise This object detects Drive-by Compromise.
Relationship explorer

All related ATT&CK context

detects · Technique T1189: Drive-by Compromise Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
66c1daa06eda7970...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 66c1daa06eda…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0176
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use