MITRE ATT&CK Technique
Description
Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Adversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including: * Inserting malicious scripts into web pages or other user controllable web content such as forum posts * Modifying script files served to websites from publicly writeable cloud storage buckets * Crafting malicious web advertisements and purchasing ad space on a website through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008)) In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox) Websites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2021-03-17T20:33:20.127Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may prepare an operational environment to infect '
'systems that visit a website over the normal course of '
'browsing. Endpoint systems may be compromised through '
'browsing to adversary controlled sites, as in [Drive-by '
'Compromise](https://attack.mitre.org/techniques/T1189). In '
"such cases, the user's web browser is typically targeted for "
'exploitation (often not requiring any extra user interaction '
'once landing on the site), but adversaries may also set up '
'websites for non-exploitation behavior such as [Application '
'Access Token](https://attack.mitre.org/techniques/T1550/001). '
'Prior to [Drive-by '
'Compromise](https://attack.mitre.org/techniques/T1189), '
'adversaries must stage resources needed to deliver that '
'exploit to users who browse to an adversary controlled site. '
'Drive-by content can be staged on adversary controlled '
'infrastructure that has been acquired ([Acquire '
'Infrastructure](https://attack.mitre.org/techniques/T1583)) '
'or previously compromised ([Compromise '
'Infrastructure](https://attack.mitre.org/techniques/T1584)).\n'
'\n'
'Adversaries may upload or inject malicious web content, such '
'as '
'[JavaScript](https://attack.mitre.org/techniques/T1059/007), '
'into websites.(Citation: FireEye CFR Watering Hole '
'2012)(Citation: Gallagher 2015) This may be done in a number '
'of ways, including:\n'
'\n'
'* Inserting malicious scripts into web pages or other user '
'controllable web content such as forum posts\n'
'* Modifying script files served to websites from publicly '
'writeable cloud storage buckets\n'
'* Crafting malicious web advertisements and purchasing ad '
'space on a website through legitimate ad providers (i.e., '
'[Malvertising](https://attack.mitre.org/techniques/T1583/008))\n'
'\n'
"In addition to staging content to exploit a user's web "
'browser, adversaries may also stage scripting content to '
"profile the user's browser (as in [Gather Victim Host "
'Information](https://attack.mitre.org/techniques/T1592)) to '
'ensure it is vulnerable prior to attempting '
'exploitation.(Citation: ATT ScanBox)\n'
'\n'
'Websites compromised by an adversary and used to stage a '
'drive-by may be ones visited by a specific community, such as '
'government, a particular industry, or region, where the goal '
'is to compromise a specific user or set of users based on a '
'shared interest. This kind of targeted campaign is referred '
'to a strategic web compromise or watering hole attack.\n'
'\n'
'Adversaries may purchase domains similar to legitimate '
'domains (ex: homoglyphs, typosquatting, different top-level '
'domain, etc.) during acquisition of infrastructure '
'([Domains](https://attack.mitre.org/techniques/T1583/001)) to '
'help facilitate [Drive-by '
'Compromise](https://attack.mitre.org/techniques/T1189).',
'external_references': [{'external_id': 'T1608.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1608/004'},
{'description': 'Blasco, J. (2014, August 28). '
'Scanbox: A Reconnaissance Framework '
'Used with Watering Hole Attacks. '
'Retrieved October 19, 2020.',
'source_name': 'ATT ScanBox',
'url': 'https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks'},
{'description': 'Gallagher, S.. (2015, August 5). '
'Newly discovered Chinese hacking '
'group hacked 100+ websites to use as '
'“watering holes”. Retrieved January '
'25, 2016.',
'source_name': 'Gallagher 2015',
'url': 'http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/'},
{'description': 'Kindlund, D. (2012, December 30). '
'CFR Watering Hole Attack Details. '
'Retrieved November 17, 2024.',
'source_name': 'FireEye CFR Watering Hole 2012',
'url': 'https://web.archive.org/web/20201024230407/https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html'}],
'id': 'attack-pattern--31fe0ba2-62fd-4fd9-9293-4043d84f7fe9',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:48:36.634Z',
'name': 'Drive-by Target',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.3'}