1. Home
  2. ATT&CK Techniques
  3. T1659 Content Injection

T1659 Content Injection

Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems.(Citation: ESET MoustachedBouncer)

Adversaries may inject content to victim systems in various ways, including:

  • From the middle, where the adversary is in-between legitimate online client-server communications (Note: this is similar but distinct from Adversary-in-the-Middle, which describes AiTM activity solely within an enterprise environment) (Citation: Kaspersky Encyclopedia MiTM)
  • From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server (Citation: Kaspersky ManOnTheSide)

Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception."(Citation: Kaspersky ManOnTheSide)(Citation: ESET MoustachedBouncer)(Citation: EFF China GitHub Attack)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.06 Encryption management practices Mitigates T1659 Content Injection
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address Content Injection threats, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS.
References
    PR.PS-01.07 Cryptographic keys and certificates Mitigates T1659 Content Injection
    Comments
    This diagnostic statement protects against Content Injection through the use of revocation of keys and key management. Employing key protection strategies for key material used in virtual private networks, identity management, and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against content injection.
    References
      DE.CM-01.05 Website and service blocking Mitigates T1659 Content Injection
      Comments
      This diagnostic statement provides for implementing tools and measures such as blocking download/transfer and execution of uncommon file types which can help prevent content injection.
      References
        PR.PS-01.05 Encryption standards Mitigates T1659 Content Injection
        Comments
        This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address Content Injection threats, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS.
        References

          NIST 800-53 Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          AC-17 Remote Access mitigates T1659 Content Injection
          AC-04 Information Flow Enforcement mitigates T1659 Content Injection
          SC-07 Boundary Protection mitigates T1659 Content Injection

          VERIS Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          action.malware.vector.remote injection None related-to T1659 Content Injection

          Azure Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          azure_network_security_groups Azure Network Security Groups technique_scores T1659 Content Injection
          Comments
          This control can be used to limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce content injection conditions.
          References
          1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
          2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
          3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
          azure_private_link Azure Private Link technique_scores T1659 Content Injection
          Comments
          This capability provides protection against content inection.
          References
          1. https://learn.microsoft.com/en-us/azure/private-link/private-link-overview
          azure_vpn_gateway Azure VPN Gateway technique_scores T1659 Content Injection
          Comments
          This capability can mitigate content injection attacks that manipulate data in transit.
          References
          1. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

          GCP Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          cloud_vpn Cloud VPN technique_scores T1659 Content Injection
          Comments
          Cloud VPN encrypts data in transit, restricting an adversary's ability to inject content.
          References
          1. ['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview']