T1608.004: Drive-by Target
Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in Drive-by Compromise. In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as Application Access Token. Prior to Drive-by Compromise, adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired (Acquire Infrastructure) or previously compromised (Compromise Infrastructure).
Adversaries may upload or inject malicious web content, such as JavaScript, into websites.[1][2] This may be done in a number of ways, including:
* Inserting malicious scripts into web pages or other user controllable web content such as forum posts * Modifying script files served to websites from publicly writeable cloud storage buckets * Crafting malicious web advertisements and purchasing ad space on a website through legitimate ad providers (i.e., Malvertising)
In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in Gather Victim Host Information) to ensure it is vulnerable prior to attempting exploitation.[3]
Websites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack.
Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure (Domains) to help facilitate Drive-by Compromise.
Analyst context for executives and security teams
Drive-by Target is pre-compromise staging: adversaries prepare web content, domains, ads, cloud-hosted scripts, or compromised websites so normal browsing can later lead to profiling, token capture, or drive-by compromise. The business issue is that risk may form outside the enterprise perimeter before any endpoint alert exists, especially when users regularly visit industry, regional, supplier, or community websites that could be used as watering holes.
Executive priority
Treat this as an early-warning and readiness problem, not just a malware problem. Leaders should ask whether the organization can identify suspicious lookalike domains, compromised third-party web dependencies, abnormal browser-facing script activity, and exposure of high-risk user communities before incident response begins. The ATT&CK relationships connect this behavior to multiple groups and one campaign, including contexts involving government, defense, aviation, energy, healthcare, retail, hospitality, cloud services, transportation, and other sectors; that makes it relevant to resilience planning, third-party risk, identity protection, and evidence that pre-compromise monitoring exists.
Technical view
This sub-technique sits under Stage Capabilities in the Resource Development tactic and has platform PRE, so validation should focus on external and pre-incident visibility rather than only endpoint detections. SOC and threat intelligence teams should confirm coverage for adversary-controlled or compromised websites, malicious or profiling JavaScript, publicly writable cloud storage script changes, malvertising paths, suspicious referrers, and domains similar to legitimate brands. IR teams should be prepared to pivot from a suspected drive-by event back to the staged resource, including browser telemetry, web proxy history, DNS activity, affected user cohorts, and any relationship to Drive-by Compromise, Application Access Token abuse, Gather Victim Host Information, Acquire Infrastructure, Compromise Infrastructure, Domains, or Malvertising.
Likely telemetry
- Web proxy, secure web gateway, or browser history showing visits to suspicious or compromised websites
- DNS and passive DNS data for lookalike, typosquatted, homoglyph, or unusual top-level domains
- Endpoint browser and script execution evidence, especially JavaScript delivered during normal browsing
- Web server, website integrity, and content management logs for owned sites that could host injected content
- Cloud storage access and object modification logs for publicly writable or web-served script files
Detection direction
- Because ATT&CK provides no official detection text for this object, start by mapping local telemetry to DET0825 and testing whether analysts can reconstruct a drive-by path from domain to page content to user visit.
- Tune for suspicious script injection, unexpected third-party script changes, and abnormal redirects, but account for high false-positive volume from legitimate advertising networks, CDNs, analytics tags, and website changes.
- Monitor for domains similar to legitimate domains and for newly observed domains that align with the organization, sector, region, or executive/user communities.
- Correlate web visits with browser profiling behavior and subsequent authentication or token anomalies where available, without assuming exploitation occurred from browsing alone.
- Validate third-party and cloud-hosted web content visibility; a common blind spot is script content served from infrastructure the enterprise does not directly administer.
Mitigation priorities
- Prioritize pre-compromise controls consistent with M1056: reduce exposed information that helps adversaries select targets, and monitor for adversary preparation affecting the organization or its communities.
- Harden and monitor owned websites, content management systems, and web-served cloud storage so they cannot be used to stage malicious scripts or altered content.
- Use domain monitoring and brand protection processes for lookalike domains, typosquatting, homoglyphs, and suspicious top-level domain registrations.
- Maintain browser, web filtering, and endpoint security baselines that reduce the chance that staged content can progress to Drive-by Compromise.
- Include watering-hole and malvertising scenarios in incident response playbooks, especially for high-risk user groups and sectors referenced in local threat models.
Analyst notes and limits
The value of this object is in connecting external preparation to internal readiness. It is especially useful for threat intelligence, managed detection, cloud security, IAM, vulnerability management, and IR teams that need to decide whether they can see the path from staged web resource to user exposure. ATT&CK relationships show use by several named groups and campaign C0010, but local prioritization should be based on the organization’s sector, geography, user communities, browsing patterns, and third-party web dependencies.
The supplied ATT&CK object has no official detection guidance and only identifies platform PRE, so specific detections, log sources, and control effectiveness must be validated in the local environment. The relationships indicate historical use by listed groups and a campaign, but they do not prove current targeting or exposure for any specific organization.
Drive-by Target
Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in Drive-by Compromise. In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as Application Access Token. Prior to Drive-by Compromise, adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired (Acquire Infrastructure) or previously compromised (Compromise Infrastructure).
Adversaries may upload or inject malicious web content, such as JavaScript, into websites.[1][2] This may be done in a number of ways, including:
* Inserting malicious scripts into web pages or other user controllable web content such as forum posts * Modifying script files served to websites from publicly writeable cloud storage buckets * Crafting malicious web advertisements and purchasing ad space on a website through legitimate ad providers (i.e., Malvertising)
In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in Gather Victim Host Information) to ensure it is vulnerable prior to attempting exploitation.[3]
Websites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack.
Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure (Domains) to help facilitate Drive-by Compromise.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1608 | Stage Capabilities | This object subtechnique of Stage Capabilities. |
Groups, software, and campaigns
G0134: Transparent Tribe
Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.[1][2][3]
G1014: LuminousMoth
LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.[1][2]
G0035: Dragonfly
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[1][2] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[3][4][5][6][7][8][9]
G1012: CURIUM
CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.[1] CURIUM has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.[2]
G0050: APT32
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]
G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
G1020: Mustard Tempest
Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools.[1][2][3][4]
C0010: C0010
C0010 was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. C0010 began by at least late 2020, and was still ongoing as of mid-2022.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 7b4b095e806b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye CFR Watering Hole 2012
Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved November 17, 2024.
Open source URL -
[2]
Gallagher 2015
Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”. Retrieved January 25, 2016.
Open source URL -
[3]
ATT ScanBox
Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.
Open source URL -
[4]
mitre-attack T1608.004Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.