Drive-by Compromise
Key Points:
Overview: Attackers exploit web browsers and hacked websites for system access, targeting specific user groups through various methods.
Drive-by Compromise: Users land on websites with attacker-controlled content, where vulnerabilities are exploited to gain control over their systems.
Hacked Websites: Malicious apps on hacked websites can steal Application Access Tokens, often appearing as popups on legitimate sites.
Detection Methods: Use Application Log Content, File Creation, Process Creation, Network Connection Creation, and Browser History analysis to identify suspicious activities and signs of compromise.
Browser History: Review browser history for ad traffic, malicious URLs, and file downloads when investigating web traffic-related incidents.
Overview
Attackers can break into a system when a user browses a website. This usually involves hacking the user's web browser, but attackers can also use hacked websites in different ways, like getting hold of Application Access Tokens.
There are several methods to trick a browser (also known as Drive-by Target), such as:
Hacking a trusted website to inject harmful code like JavaScript, iFrames, or cross-site scripting.
Altering script files on a legitimate website linked to a public cloud storage that anyone can edit.
Buying and placing malicious ads on legitimate ad networks (known as Malvertising).
Using built-in features of web apps to insert harmful web content or scripts (like in forum posts or comments).
Attackers often use websites popular with specific groups, like government employees or certain industries, to target particular users. This tactic, aimed at a group with common interests, is called strategic web compromise or a watering hole attack.
Here's how a typical drive-by compromise works:
A user lands on a website hosting attacker-controlled content.
Scripts run automatically, checking the browser and plugins for weak spots.
The user might need to enable scripts or ignore safety warnings.
Once a vulnerability is found, the browser gets hit with an exploit.
If the attack works, the attacker can control the user's system, unless there are other safeguards.
Sometimes, the user needs to visit the website twice before the attack launches.
This technique differs from exploiting public-facing applications because it targets client-side software when visiting a website, often leading to access to internal networks instead of just external systems in a DMZ.
Attackers can also use hacked websites to direct a user to a malicious app designed to steal Application Access Tokens, like OAuth tokens, for accessing secure apps and information. These malicious apps are often deployed via popups on legitimate websites.
Detection
Application Log Content
Firewall and Proxy Inspection: Windows systems use firewalls and proxies to scrutinize URLs for signs of malicious activity.
Reputation Analysis: These tools assess a website's reputation based on domain age, registration details, presence on known bad lists, and user traffic frequency.
Example Event Log (Event ID 5157):
An example of a Windows Firewall event (Event ID 5157) could be:
Explanation:
Process ID and Name: Indicate which application attempted the connection.
Network Information: Shows the direction, source, and destination of the attempted connection.
Filter Information: Provides details on what part of the firewall blocked the connection.
File Creation
Monitor for unexpected and abnormal file creations that may indicate malicious content injected through online network communications.
Example: An unexpected executable file created in the user's AppData folder.
Windows Event Log: Event ID 4663 in the Security log (An attempt was made to access an object).
Windows Event 4663 example:
This log entry indicates an attempt to access (write or create) a file.
Security ID,Account Name, andAccount Domain- identify the user account involved.Object Name- points to the file path, here indicating a potentially suspicious executable in the Temp folder.Process Information- shows the process that attempted the file creation, in this case,cmd.exe, which is notable as command-line tools can be used in attacks.Accesses:WriteData- For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (FILE_ADD_FILE).AddFile- For a directory, the right to create a file in the directory.
Process Creation
Example: A browser process creating unexpected child processes or executable files.
Windows Event Log: Event ID 4688 in the Security log (A new process has been created).
Windows Event ID 4688 example:
This log records the creation of a new process.
Security IDand related fields again provide account information.New Process IDandNamedetail the process started, hereiexplore.exe, Internet Explorer.Creator Process IDandNameindicate the initiating process, in this case,Explorer.exe.Process Command Linegives the command used to start the process, which can reveal whether additional, potentially malicious, parameters were used.
Network Connection Creation
Review EDR, Firwall and Proxy logs to identify network connection events.
Utilize proxy logs to identify web ptraffic patterns and GET requests for files.
Utilize EDR logs for process & network creation events.
Utilize Firewall logs to identify network connections to unknown endpoints.
Browser History
Browser History can be extremely helpful when investigating suspicious activity that sources from web traffic.
Look for ad traffic, malicious URLs and file downloads.
Last updated
Was this helpful?