psk-study

Initial Access - Drive-by Compromise

๋ฐ•์„œ๊ฒฝ's photo
๋ฐ•์„œ๊ฒฝ
ยท

2 min read

Table of contents

Initial Access ๐Ÿ”“

  • Goal: The attacker gains initial access to the target system.

  • Initial Access Techniques

    • ๐Ÿ“ฅ Content Injection

    • ๐ŸŒ Exploit Public-Facing Application

    • ๐Ÿ›  Hardware Additions

    • ๐Ÿ’พ Replication Through Removable Media

    • ๐Ÿค Trusted Relationship

    • ๐Ÿš— Drive-by Compromise

    • ๐ŸŒ External Remote Services

    • ๐ŸŽฃ Phishing

    • ๐Ÿ”— Supply Chain Compromise

    • ๐Ÿ”‘ Valid Accounts

What is Drive-by Compromise

Adversaries can gain access to a system when a user visits a website. Typically, this involves exploiting vulnerabilities in the user's web browser, but it can also be used to steal application access tokens (e.g., OAuth tokens) without direct exploitation.

Attack Techniques

๐Ÿ“Œ Methods of Delivering Malicious Code:

  • Compromising legitimate websites by injecting JavaScript, iFrames, or cross-site scripting (XSS).

  • Modifying script files served from publicly writable cloud storage.

  • Injecting malicious ads (Malvertising) through legitimate ad networks.

  • Exploiting web application interfaces to insert malicious content into comments, forum posts, or other user-generated content.

๐Ÿ“Œ Watering Hole Attacks

  • Targeting websites frequently visited by specific industries, regions, or communities to infect a particular group of users.

Typical Attack Process

1๏ธโƒฃ The user visits a website that hosts adversary-controlled content.
2๏ธโƒฃ Scripts execute automatically, checking browser and plugin versions for vulnerabilities.
3๏ธโƒฃ The user may be tricked into enabling scripts or ignoring security warnings.
4๏ธโƒฃ If a vulnerability is found, exploit code is delivered to the browser.
5๏ธโƒฃ Upon successful exploitation, the adversary gains code execution on the system.
6๏ธโƒฃ In some cases, the exploit is delivered only on a second visit, after initial reconnaissance.

Characteristics and Differences

  • Differences from Exploit Public-Facing Application

    • Targets client-side software rather than server applications.

    • More likely to grant access to internal networks rather than external DMZ systems.

  • Stealing Application Access Tokens

    • Malicious popups may be used to steal OAuth tokens and gain unauthorized access to protected applications.

To defend against these attacks, users should apply the latest security patches, use script-blocking tools, enable security extensions, and avoid visiting untrusted websites.

Initial Access
ย