title: Drive-by Target (T1608.004)
id: df00tech-t1608-004
status: experimental
description: "Adversaries prepare operational websites to infect systems that visit over the normal course of browsing. This involves staging malicious JavaScript, exploit kit landing pages, browser profiling code (e.g., ScanBox), or trojanized downloads on adversary-controlled or compromised legitimate websites — including watering hole attacks targeting specific communities such as government agencies, industries, or regional groups. Staging methods include injecting malicious scripts into existing web pages, modifying files served from publicly writable cloud storage buckets, and purchasing malvertising space. Because staging occurs entirely on adversary infrastructure, direct detection is not possible from the victim side. Detection strategy focuses on victim-side downstream artifacts: browsers spawning unexpected child processes (exploitation indicator), executable files dropped by browser processes to temp directories, and browser network connections to newly registered or cloud-hosted infrastructure serving executable content."
references:
  - https://attack.mitre.org/techniques/T1608/004/
  - https://df00tech.com/detections/T1608.004
author: df00tech
date: 2026/03/13
tags:
  - attack.t1608.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Browser extensions or plugins that legitimately spawn helper processes — e.g., PDF readers (AcroRd32.exe), video codec installers, accessibility tools launched via browser"
  - Legitimate software update mechanisms triggered through the browser — Chrome or Firefox update pipelines may invoke msiexec.exe or cmd.exe to apply updates
  - "Developer workflows using browser-based IDEs, build tools, or debugging extensions that spawn local script interpreters or Node.js processes"
  - "Enterprise protocol handlers (custom URI schemes such as myapp://) that allow browsers to launch registered desktop applications or scripts"
  - Download managers integrated with browsers that save executable files to standard temp directories before user-initiated installation
level: high