Last reviewed:
Detection coverage in DCV across AWS, Azure and GCP for Drive-by Compromise, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-06-27.
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:
* A legitimate website is compromised, allowing adversaries to inject malicious code * Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary * Malicious ads are paid for and served through legitimate ad providers (i.e., Malvertising) * Built-in web application interfaces that allow user-controllable content are leveraged for the insertion of malicious scripts or iFrames (e.g., cross-site scripting)
Browser push notifications may also be abused by adversaries and leveraged for malicious code injection via User Execution. By clicking "allow" on browser push notifications, users may be granting a website permission to run JavaScript code on their browser.
Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or a particular region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.
Typical drive-by compromise process:
1. A user visits a website that is used to host the adversary controlled content. 2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. The user may be required to assist in this process by enabling scripting, notifications, or active website components and ignoring warning dialog boxes. 3. Upon finding a vulnerable version, exploit code is delivered to the browser. 4. If exploitation is successful, the adversary will gain code execution on the user's system unless other protections are in place. In some cases, a second visit to the website after the initial scan is required before exploit code is delivered.
Unlike Exploit Public-Facing Application, the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.
Platforms: Identity Provider, Linux, macOS, Windows.
DCV maps 2 detections across 2 cloud providers to T1189. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS GuardDuty | AWS | 1 | 0.90 |
| GCP Chronicle | GCP | 1 | 0.85 |
CloudSigma has coverage metadata for 2 T1189 rules across 1 platform. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1189, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
Detection coverage in DCV across AWS, Azure and GCP for Drive-by Compromise, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-06-27.
DCV maps 2 cloud-native detections to T1189 across 2 cloud providers, drawn from AWS GuardDuty and GCP Chronicle.
T1189 is part of MITRE ATT&CK TA0001 Initial Access: How adversaries get into the environment.
CloudSigma ships 1 validated Sigma rules for T1189 across ModSecurity. Each rule is validated against its source SIEM dialect before publication.