title: Drive-by Compromise (T1189)
id: df00tech-t1189
status: experimental
description: "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Drive-by compromise occurs when exploit code is delivered through a browser, often via a compromised legitimate website (watering hole), malicious advertising (malvertising), or injected iframes/scripts. Upon visiting the malicious page, browser or plugin exploits execute code silently, commonly resulting in the browser spawning unexpected child processes, writing executables to disk, or making unusual outbound network connections that establish C2 channels. This technique is particularly dangerous because it requires no user interaction beyond visiting a page and is frequently used for targeted attacks against specific communities or industries."
references:
  - https://attack.mitre.org/techniques/T1189/
  - https://df00tech.com/detections/T1189
author: df00tech
date: 2026/04/18
tags:
  - attack.t1189
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Browser-based development tools (VS Code in browser, Jupyter) that legitimately spawn shell processes or write scripts to disk"
  - "Software update mechanisms where browser update components (GoogleUpdate.exe, MicrosoftEdgeUpdate.exe) write update executables — distinguish by parent process and folder path"
  - "Enterprise web applications that use browser-initiated file downloads as part of legitimate workflows (e.g., downloading batch scripts from internal portals)"
  - Penetration testing tools and red team frameworks that use browsers as delivery mechanisms in authorized engagements
  - Browser extensions with broad file system permissions writing helper applications or native messaging hosts
level: high