T0817: Drive-by Compromise
Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website.
The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack.
The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. [1] Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.
Analyst context for executives and security teams
Drive-by Compromise matters because ordinary web browsing can become the initial access path into an ICS environment, especially when adversaries compromise trusted industry, supplier, trade publication, or informational websites used by operators, engineers, or related third parties. The business risk is not just “malicious websites”; it is loss of confidence that routine research or supplier interaction cannot expose workstations connected to control-system operations.
Executive priority
Prioritize this as an operational resilience and third-party trust issue for ICS environments. Leaders should ask whether engineering/operator workstations have controlled web access, whether browser and software update windows are aligned with operational downtime, and whether security teams can produce evidence of web filtering, exploit protection, sandboxing/isolation, and monitoring for browsing-based compromise attempts. This technique is especially material where trusted suppliers or sector-specific websites are part of normal workflows.
Technical view
SOC, detection engineering, and IR teams should validate coverage around browser-driven exploitation and watering-hole exposure, particularly for ICS workstations referenced by the relationship context. ATT&CK does not provide official detection text for T0817, but the object is associated with detection strategy DET0782 and mitigations for restricting web content, application isolation/sandboxing, exploit protection, and software updates. Teams should test whether web, DNS, proxy, endpoint, and workstation telemetry can connect a user browsing event to suspicious downloads, script execution, exploit indicators, browser child processes, or follow-on activity on engineering/operator workstations.
Likely telemetry
- Web proxy or secure web gateway logs for visited domains, URL categories, downloads, blocked content, and referrers
- DNS logs for sector-specific, supplier, or newly suspicious domains accessed by ICS-related users or workstations
- Endpoint security alerts for browser exploit behavior, suspicious script execution, or blocked exploit conditions
- Browser and operating system event logs from workstations used by operators or engineers
- Download and attachment control logs, including blocked JavaScript, extensions, or executable content
Detection direction
- Confirm what DET0782-style detection is implemented locally, since the supplied ATT&CK object does not include official detection logic.
- Tune monitoring around normal browsing by ICS personnel, engineers, and third-party-facing teams rather than only known-malicious domains.
- Correlate web visits with endpoint exploit alerts, unusual downloads, browser-spawned processes, or immediate authentication/network activity from related workstations.
- Account for false positives from legitimate supplier portals, trade publications, engineering downloads, and maintenance tools; use allowlisting carefully and review exceptions regularly.
- Look for blind spots where ICS workstations browse directly without proxy logging, where DNS logs are not retained, or where endpoint monitoring is lighter due to operational constraints.
Mitigation priorities
- Start by restricting web-based content for ICS-relevant users and workstations: limit unnecessary sites, downloads, attachments, JavaScript, and browser extensions where operationally feasible.
- Use application isolation or sandboxing to contain web-originated code before it reaches endpoint systems.
- Enable exploit protection capabilities that can detect or block exploit-like conditions against browsers or related software.
- Maintain regular software updates for browsers, plugins, and workstation operating systems, scheduled around operational downtime where ICS availability requires change control.
- Review whether operator and engineering workstations need general web browsing at all; where they do, document business justification, compensating controls, and monitoring evidence.
Analyst notes and limits
The most useful defensive conversation is whether routine browsing paths into the ICS environment are governed, monitored, and evidenced. The relationship to the ICS Workstation asset makes this especially relevant for operator and engineering systems, including related workstation platforms described as Linux and Windows. The cited CISA alert describes watering-hole activity against process control, ICS, and critical infrastructure-related publications and websites in the Dragonfly context; that should inform risk scenarios without assuming current activity in any environment.
ATT&CK provides no platforms, tactics, or official detection text directly on this technique object, so detection and telemetry recommendations are derived from the official description and supplied relationships. The group and software relationships show historical ATT&CK usage, not current exploitation or local exposure. Local architecture, browsing policy, workstation connectivity, patch constraints, and logging coverage are required to determine actual risk and control maturity.
Drive-by Compromise
Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website.
The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack.
The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. [1] Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G0035: Dragonfly
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[1][2] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[3][4][5][6][7][8][9]
G0088: TEMP.Veles
TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.[1][2][3]
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
G1000: ALLANITE
ALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to Dragonfly, although ALLANITEs technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. [1]
S0606: Bad Rabbit
Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [1][2][3]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1ce76ae87656… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybersecurity & Infrastructure Security Agency March 2018
Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11
Open source URL -
[2]
mitre-attack T0817Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.