Not every protection is detection based, it can also be prevention by configuring your network to standards. This blog series (MITRE Hunting) will focus on each MITRE technique and tactics, its detection/prevention process.
MITRE Technique ID: T1189
Reference: Drive-by Compromise, Technique T1189 – Enterprise | MITRE ATT&CK®
Initial Access consists of techniques that use various entry vectors to gain their initial foothold. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.
Common drive-by compromising techniques:
- A user goes to a website that hosts the content that the adversary controls.
- Scripts run automatically and often look for possibly vulnerable browser and plugin versions.
- By allowing scripting or other active website components and ignoring warning dialog boxes, the user may be forced to help with this procedure.
- The browser receives exploit code after being found to be vulnerable.
- If exploitation is successful, the adversary will be able to execute code on the user’s PC unless other safeguards are in place.
- After the initial scan, it may be necessary to return to the website again before the exploit code is given.
Suggested Detection(MITRE):
| Data Source | Detects |
| Application Log | Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it’s registered to, if it’s on a known bad list, or how many other users have connected to it before. |
| File | Monitor for newly constructed files written to disk to gain access to a system through a user visiting a website over the normal course of browsing. |
| Network Traffic | Monitor for newly constructed network connections that are sent or received by untrusted hosts. |
| Monitor for networks that solicits and obtains the configuration information of the queried device | |
| Process | Monitor for newly executed processes to gain access to a system through a user visiting a website over the normal course of browsing. |
Comments on Detection & Prevention Mechanisms:
- Have proxies block malicious domains.
- Block highly confident malicious domains on your firewall/EDR tools.
- Create detection rules for any matches against bad domains using dynamic watchlists/lookup or external data. If you do not have a paid threat intelligence service, there are a lot open source intel that can be used as well as affordable paid data.
- Free Blocklists of Suspected Malicious IPs and URLs (zeltser.com) (Source: Lenny Zeltser)
Possible detection/threat hunting rules:
Title: Drive-by downloads from suspicious TLDs
Description: Monitor for newly constructed files written to disk to gain access to a system through a user visiting a website over the normal course of browsing.
Author: 'Meena Rajendran'
Date: 11/07/2022
Logsource: EDR Network logs, Proxy
Detection psuedo:
File extention: 'exe', 'vbs', 'bat', 'rar', 'ps1', 'doc', 'docm', 'xls', 'xlsm', 'pptm', 'rtf', 'hta', 'dll', 'ws', 'wsf', 'sct', zip'
Domains_endswith: '.country' , '.stream' , '.gdn' , '.mom' , '.xin' , '.kim' , '.men' , '.loan' , '.download' , '.racing' , '.online' , '.science' , '.ren' , '.gb' , '.win' , '.top' , '.review' , '.vip' , '.party' , '.tech' , '.xyz' ,'.date' , '.faith' , '.zip' , '.cricket' , '.space' , '.info' , '.vn' , '.cm' , '.am' , '.cc' , '.asia' , '.ws' , '.tk' , '.biz' , '.su' , '.st' , '.ro' , '.ge' , '.ms' , '.pk' , '.nu' , '.me' , '.ph' , '.to' , '.tt' , '.name' , '.tv' , '.kz' , '.tc' , '.mobi' , '.study' , '.click' , '.link' , '.trade' , '.accountant' , '.cf' , '.gq' , '.ml', '.ga' , '.pw'
Condition: File extention and Domains_endswith
Level: Medium
Oracle Writes 