Content Injection

Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems.^[1]

Adversaries may inject content to victim systems in various ways, including:

From the middle, where the adversary is in-between legitimate online client-server communications (Note: this is similar but distinct from Adversary-in-the-Middle, which describes AiTM activity solely within an enterprise environment) ^[2]
From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server ^[3]

Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception."^[3]^[1]^[4]

ID: T1659

Sub-techniques: No sub-techniques

ⓘ

Tactics: Initial Access, Command and Control

ⓘ

Platforms: Linux, Windows, macOS

Version: 1.0

Created: 01 September 2023

Last Modified: 15 April 2025

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
S1088	Disco	Disco has achieved initial access and execution through content injection into DNS, HTTP, and SMB replies to targeted hosts that redirect them to download malicious files.^[5]
G1019	MoustachedBouncer	MoustachedBouncer has injected content into DNS, HTTP, and SMB replies to redirect specifically-targeted victims to a fake Windows Update page to download malware.^[5]

Mitigations

ID	Mitigation	Description
M1041	Encrypt Sensitive Information	Where possible, ensure that online traffic is appropriately encrypted through services such as trusted VPNs.
M1021	Restrict Web-Based Content	Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns.

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0022	File	File Creation	Monitor for unexpected and abnormal file creations that may indicate malicious content injected through online network communications. Analytic 1 - Detecting Malicious File Creation via Content Injection `(EventCode=11 OR source="/var/log/audit/audit.log" type="open")\| where (file_type IN ("exe", "dll", "js", "vbs", "ps1", "sh", "php"))\| where (process_path="C:\Users\\AppData\Local\Temp\" OR process_path="/tmp/" OR process_path="/var/tmp/")\| eval risk_score=case( like(file_name, "%.exe"), 8, like(file_name, "%.js"), 9, like(file_name, "%.sh"), 7)\| where risk_score >= 7\| stats count by _time, host, user, file_name, process_path, risk_score`
DS0029	Network Traffic	Network Traffic Content	Monitor for other unusual network traffic that may indicate additional malicious content transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious payloads, content obfuscation, and exploit code. Analytic 1 - Detecting Content Injection in Network Traffic `(EventCode=3)OR (source="zeek_http_logs" response_code IN (302, 307) AND url IN (malicious_redirect_list))OR (source="proxy_logs" response_body_content IN (suspicious_script_list))\| eval risk_score=case( response_code=302 AND url IN (malicious_redirect_list), 9, response_body_content IN (suspicious_script_list), 8, url LIKE "%@%", 7)\| where risk_score >= 7\| stats count by _time, host, user, url, response_code, risk_score`
DS0009	Process	Process Creation	Look for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, or evidence of Discovery. Analytic 1 - Detecting Malicious Process Execution from Injected Content (EventCode=1 OR source="/var/log/audit/audit.log" type="execve")\| where (parent_process IN ("chrome.exe", "firefox.exe", "edge.exe", "safari.exe", "iexplore.exe"))\| where (process_name IN ("powershell.exe", "cmd.exe", "wget", "curl", "bash", "python"))\| eval risk_score=case( process_name IN ("powershell.exe", "cmd.exe"), 9, process_name IN ("wget", "curl"), 8, parent_process IN ("chrome.exe", "firefox.exe"), 7)\| where risk_score >= 7\| stats count by _time, host, user, process_name, parent_process, risk_score

DS0022

File

File Creation

Monitor for unexpected and abnormal file creations that may indicate malicious content injected through online network communications.

Analytic 1 - Detecting Malicious File Creation via Content Injection

(EventCode=11 OR source="/var/log/audit/audit.log" type="open")| where (file_type IN ("exe", "dll", "js", "vbs", "ps1", "sh", "php"))| where (process_path="C:\Users\\AppData\Local\Temp\" OR process_path="/tmp/" OR process_path="/var/tmp/")| eval risk_score=case( like(file_name, "%.exe"), 8, like(file_name, "%.js"), 9, like(file_name, "%.sh"), 7)| where risk_score >= 7| stats count by _time, host, user, file_name, process_path, risk_score

DS0029

Network Traffic

Network Traffic Content

Monitor for other unusual network traffic that may indicate additional malicious content transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious payloads, content obfuscation, and exploit code.

Analytic 1 - Detecting Content Injection in Network Traffic

(EventCode=3)OR (source="zeek_http_logs" response_code IN (302, 307) AND url IN (malicious_redirect_list))OR (source="proxy_logs" response_body_content IN (suspicious_script_list))| eval risk_score=case( response_code=302 AND url IN (malicious_redirect_list), 9, response_body_content IN (suspicious_script_list), 8, url LIKE "%@%", 7)| where risk_score >= 7| stats count by _time, host, user, url, response_code, risk_score

DS0009

Process

Process Creation

Look for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, or evidence of Discovery.

Analytic 1 - Detecting Malicious Process Execution from Injected Content

(EventCode=1 OR source="/var/log/audit/audit.log" type="execve")| where (parent_process IN ("chrome.exe", "firefox.exe", "edge.exe", "safari.exe", "iexplore.exe"))| where (process_name IN ("powershell.exe", "cmd.exe", "wget", "curl", "bash", "python"))| eval risk_score=case( process_name IN ("powershell.exe", "cmd.exe"), 9, process_name IN ("wget", "curl"), 8, parent_process IN ("chrome.exe", "firefox.exe"), 7)| where risk_score >= 7| stats count by _time, host, user, process_name, parent_process, risk_score

Content Injection

Procedure Examples

Mitigations

Detection

References