T1659 Content Injection Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let LookbackTime = 1d;
let UpdateDomains = dynamic(["windowsupdate.com", "update.microsoft.com", "download.microsoft.com", "delivery.mp.microsoft.com"]);
let SuspiciousChildren = dynamic(["wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe", "powershell.exe", "cmd.exe"]);
let InjectionParents = dynamic(["svchost.exe", "wuauclt.exe", "usoclient.exe", "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe"]);
let HttpUpdateConnections = DeviceNetworkEvents
| where TimeGenerated > ago(LookbackTime)
| where RemotePort == 80
| where RemoteUrl has_any (UpdateDomains)
| project DeviceId, DeviceName, NetworkTime = TimeGenerated, RemoteIP, RemoteUrl;
let SuspiciousSpawns = DeviceProcessEvents
| where TimeGenerated > ago(LookbackTime)
| where InitiatingProcessFileName in~ (InjectionParents)
| where FileName in~ (SuspiciousChildren)
| where ProcessCommandLine has_any ("http://", "invoke-webrequest", "wget", "curl", "-enc ", "download", "bitsadmin")
    or FolderPath has "temp" or FolderPath has "downloads"
| project DeviceId, DeviceName, ProcessTime = TimeGenerated, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, SHA256;
HttpUpdateConnections
| join kind=inner SuspiciousSpawns on DeviceId
| where abs(datetime_diff('second', NetworkTime, ProcessTime)) <= 300
| project NetworkTime, ProcessTime, DeviceName, AccountName, RemoteIP, RemoteUrl, SuspiciousProcess = FileName, SuspiciousProcessPath = FolderPath, ProcessCommandLine, ParentProcess = InitiatingProcessFileName, ParentCommandLine = InitiatingProcessCommandLine, SHA256, TimeDeltaSec = abs(datetime_diff('second', NetworkTime, ProcessTime))
| order by NetworkTime desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

Legacy enterprise systems still configured to use HTTP for Windows Update (pre-WSUS TLS migration) may generate benign HTTP connections to update domains matched by the network filter
Corporate WSUS or SCCM proxy servers that use HTTP internally to redistribute updates will cause svchost.exe to connect to update domains over port 80 as a legitimate workflow
IT automation tools (SCCM client actions, Intune management extensions, Ansible) that legitimately spawn PowerShell or cmd.exe via svchost.exe as part of managed patch workflows
Developers testing HTTP client libraries or update utilities who manually trigger download cradles from a browser session within the 5-minute correlation window

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval process=lower(Image)
| eval parent=lower(ParentImage)
| eval cmdline=lower(CommandLine)
| eval workdir=lower(CurrentDirectory)
| where match(parent, "svchost\.exe|wuauclt\.exe|usoclient\.exe|chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe")
| where match(process, "wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe|powershell\.exe|cmd\.exe")
| where match(cmdline, "http://|ftp://|invoke-webrequest|wget |curl |bitsadmin|/transfer")
    OR match(cmdline, "-enc |-encodedcommand ")
    OR like(workdir, "%temp%") OR like(workdir, "%downloads%")
| eval risk_score=case(
    match(parent, "svchost\.exe|wuauclt\.exe|usoclient\.exe") AND match(cmdline, "http://"), 95,
    match(cmdline, "-enc |-encodedcommand "), 90,
    match(parent, "chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe") AND match(process, "powershell\.exe|cmd\.exe"), 85,
    like(workdir, "%temp%") OR like(workdir, "%downloads%"), 75,
    true(), 65
)
| table _time, host, User, process, parent, cmdline, workdir, Hashes, risk_score
| sort -risk_score, -_time

high severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Enterprise software deployment systems (SCCM, Intune) that trigger PowerShell scripts through svchost.exe as part of legitimate patch management workflows
Browser extensions or enterprise browser management tools that spawn cmd.exe or PowerShell for configuration or telemetry purposes
Legitimate update agents that use HTTP endpoints on internal corporate networks or proxy servers for patching, generating the HTTP download pattern without malicious intent
Security tools and EDR agents that spawn child processes with Base64-encoded arguments for monitoring or collection purposes, matching the -enc command-line filter

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1659*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

Legacy enterprise systems still configured to use HTTP for Windows Update (pre-WSUS TLS migration) may generate benign HTTP connections to update domains matched by the network filter
Corporate WSUS or SCCM proxy servers that use HTTP internally to redistribute updates will cause svchost.exe to connect to update domains over port 80 as a legitimate workflow
IT automation tools (SCCM client actions, Intune management extensions, Ansible) that legitimately spawn PowerShell or cmd.exe via svchost.exe as part of managed patch workflows

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legacy enterprise systems still configured to use HTTP for Windows Update (pre-WSUS TLS migration) may generate benign HTTP connections to update domains matched by the network filter
Corporate WSUS or SCCM proxy servers that use HTTP internally to redistribute updates will cause svchost.exe to connect to update domains over port 80 as a legitimate workflow
IT automation tools (SCCM client actions, Intune management extensions, Ansible) that legitimately spawn PowerShell or cmd.exe via svchost.exe as part of managed patch workflows

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

Legacy enterprise systems still configured to use HTTP for Windows Update (pre-WSUS TLS migration) may generate benign HTTP connections to update domains matched by the network filter
Corporate WSUS or SCCM proxy servers that use HTTP internally to redistribute updates will cause svchost.exe to connect to update domains over port 80 as a legitimate workflow
IT automation tools (SCCM client actions, Intune management extensions, Ansible) that legitimately spawn PowerShell or cmd.exe via svchost.exe as part of managed patch workflows

Google Chronicle / SecOps

yaral

rule detection_t1659 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Content Injection - T1659"
    severity = "HIGH"
    mitre_attack = "T1659"
    reference = "https://attack.mitre.org/techniques/T1659/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

Legacy enterprise systems still configured to use HTTP for Windows Update (pre-WSUS TLS migration) may generate benign HTTP connections to update domains matched by the network filter
Corporate WSUS or SCCM proxy servers that use HTTP internally to redistribute updates will cause svchost.exe to connect to update domains over port 80 as a legitimate workflow
IT automation tools (SCCM client actions, Intune management extensions, Ansible) that legitimately spawn PowerShell or cmd.exe via svchost.exe as part of managed patch workflows

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Legacy enterprise systems still configured to use HTTP for Windows Update (pre-WSUS TLS migration) may generate benign HTTP connections to update domains matched by the network filter
Corporate WSUS or SCCM proxy servers that use HTTP internally to redistribute updates will cause svchost.exe to connect to update domains over port 80 as a legitimate workflow
IT automation tools (SCCM client actions, Intune management extensions, Ansible) that legitimately spawn PowerShell or cmd.exe via svchost.exe as part of managed patch workflows

Content Injection

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Initial Access

Popular Detections