DET0825: Detection of Drive-by Target
DET0825 is a MITRE detection strategy for identifying preparation activity tied to Drive-by Target, where an adversary sets up a web-based environment inte...
Analyst context for executives and security teams
DET0825 is a MITRE detection strategy for identifying preparation activity tied to Drive-by Target, where an adversary sets up a web-based environment intended to compromise systems that browse to it. For leaders, the decision value is not just browser exploit detection; it is whether the organization can see and investigate risky web destinations before they become an endpoint incident.
Executive priority
Prioritize this as a resilience and readiness question: can security teams connect suspicious web infrastructure, user browsing exposure, and later endpoint compromise evidence into one incident picture? Because the related ATT&CK technique is resource development, coverage may depend on threat intelligence, web security visibility, and incident response workflows rather than endpoint alerts alone.
Technical view
The supplied ATT&CK object has no official detection text, platforms, or tactics of its own. Its only relationship is that it detects T1608.004 Drive-by Target, associated with resource development and PRE. SOC and detection engineering teams should therefore validate whether existing monitoring can identify adversary-controlled or suspicious websites prepared to compromise normal browsing activity, and whether that context can be correlated with subsequent Drive-by Compromise-style endpoint or browser events when local telemetry exists.
Likely telemetry
- Threat intelligence or reputation data about suspicious domains, URLs, and web infrastructure
- Web proxy, secure web gateway, or browser access logs showing visits to suspicious sites
- DNS query and resolution logs for domains associated with suspicious web destinations
- Endpoint or browser security events that may show exploitation or abnormal behavior after browsing
- Incident response case data linking pre-compromise web exposure to later host activity
Detection direction
- Treat this as a correlation problem: suspicious web infrastructure alone may be weak, but value increases when matched to user visits or later endpoint/browser anomalies.
- Validate whether detection logic distinguishes normal browsing to uncommon sites from visits to infrastructure assessed as adversary-controlled or suspicious.
- Review false-positive handling for newly registered, low-reputation, compromised, or rarely visited websites, since the supplied ATT&CK fields do not define exact indicators.
- Confirm that PRE/resource-development context is not lost because many SOC pipelines focus only on post-compromise endpoint behavior.
- Use relationship context to connect DET0825 to T1608.004 rather than claiming broad drive-by exploit coverage.
Mitigation priorities
- Inventory where web, DNS, threat intelligence, and endpoint/browser telemetry are collected and retained.
- Ensure incident response playbooks can pivot from suspicious website exposure to affected users, endpoints, and browsing timelines.
- Prioritize control validation for web access monitoring and alert triage before assuming endpoint detections will catch the full behavior.
- Document detection assumptions and evidence sources for audit and compliance readiness, especially where pre-compromise activity is difficult to prove.
- Use local environment testing and historical cases to tune thresholds, because ATT&CK provides no official detection procedure for this object.
Analyst notes and limits
This take is based on DET0825 and its relationship to T1608.004 Drive-by Target. The ATT&CK object itself does not provide an official description, detection text, platforms, or tactics, so the practical guidance is intentionally framed around validation questions and telemetry classes implied by the related technique description.
Coverage cannot be inferred from this ATT&CK object alone. Local web, DNS, browser, endpoint, threat intelligence, and IR data availability will determine whether this detection strategy is actionable. No active exploitation, attribution, specific platform coverage, or guaranteed detection is supported by the supplied fields.
Detection of Drive-by Target
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1608.004 | Drive-by Target Sub-technique | This object detects Drive-by Target. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | be7865570299… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0825Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.