Detect Content Injection in Google Chronicle
This detection identifies adversary content injection attacks where malicious payloads are delivered by manipulating in-transit network traffic between victims and legitimate online services. Rather than hosting payloads on attacker-controlled websites, adversaries operating at a compromised network position—such as a compromised ISP or routing infrastructure—intercept and modify DNS, HTTP, or SMB responses before they reach the victim. The detection focuses on three behavioral indicators: suspicious interpreter or downloader processes spawned by web browsers or Windows Update components following unencrypted HTTP connections to known update domains; HTTP connections to Microsoft update infrastructure over plaintext port 80 (which should exclusively use HTTPS/443); and DNS resolutions of trusted domains returning IP addresses outside expected authoritative ranges. Known threat activity consistent with this technique includes MoustachedBouncer injecting fake Windows Update pages to deploy malware against diplomatic targets in Belarus, and the Disco implant achieving initial access through injected DNS, HTTP, and SMB replies that redirected victims to attacker-controlled download servers.
MITRE ATT&CK
- Technique
- T1659 Content Injection
- Canonical reference
- https://attack.mitre.org/techniques/T1659/
YARA-L Detection Query
rule detection_t1659 {
meta:
author = "Argus Detection Platform"
description = "Detects Content Injection - T1659"
severity = "HIGH"
mitre_attack = "T1659"
reference = "https://attack.mitre.org/techniques/T1659/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.hostname = $hostname
$e.target.process.file.full_path = $process_path
$e.target.process.command_line = $cmdline
(
re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
(
re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
re.regex($e.target.process.command_line, `(?i)-bypass`) or
re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
re.regex($e.target.process.command_line, `(?i)http://`)
)
)
not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)
condition:
$e
}Google Chronicle YARA-L 2.0 rule for detecting Content Injection (T1659). Uses Chronicle UDM event model to identify content injection behaviors across endpoint and cloud telemetry.
Data Sources
Required Tables
False Positives & Tuning
- Legacy enterprise systems still configured to use HTTP for Windows Update (pre-WSUS TLS migration) may generate benign HTTP connections to update domains matched by the network filter
- Corporate WSUS or SCCM proxy servers that use HTTP internally to redistribute updates will cause svchost.exe to connect to update domains over port 80 as a legitimate workflow
- IT automation tools (SCCM client actions, Intune management extensions, Ansible) that legitimately spawn PowerShell or cmd.exe via svchost.exe as part of managed patch workflows
Other platforms for T1659
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate DNS Injection via Hosts File Redirect of Update Domain
Expected signal: Sysmon Event ID 22 (DNS Query) showing download.microsoft.com with QueryResults containing 198.51.100.1; Sysmon Event ID 1 for nslookup.exe process creation with command line including 'download.microsoft.com'
- Test 2Simulated Injected Payload Execution from Browser-Spawned Process
Expected signal: Sysmon Event ID 1 for cmd.exe spawning powershell.exe with Invoke-WebRequest and http:// URI in CommandLine; Sysmon Event ID 3 showing powershell.exe attempting TCP connection to 198.51.100.1:80; working directory will be user profile or temp path
- Test 3LOLBin Certutil Download Cradle from Temp Path
Expected signal: Sysmon Event ID 1 for certutil_test.exe (copied certutil) executing from %TEMP% path with -urlcache and http:// URL in CommandLine; Sysmon Event ID 3 for HTTP connection attempt from temp path binary to 198.51.100.1:80; Sysmon Event ID 11 for file copy creating certutil_test.exe in temp
References (7)
- https://attack.mitre.org/techniques/T1659/
- https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/
- https://securelist.com/the-man-on-the-side-attack/66821/
- https://www.eff.org/deeplinks/2015/04/githubs-complaint-and-update-attack-github
- https://encyclopedia.kaspersky.com/glossary/man-in-the-middle-attack/
- https://attack.mitre.org/software/S1088/
- https://attack.mitre.org/groups/G1019/
Unlock Pro Content
Get the full detection package for T1659 including response playbook, investigation guide, and atomic red team tests.