title: Content Injection (T1659)
id: df00tech-t1659
status: experimental
description: "This detection identifies adversary content injection attacks where malicious payloads are delivered by manipulating in-transit network traffic between victims and legitimate online services. Rather than hosting payloads on attacker-controlled websites, adversaries operating at a compromised network position—such as a compromised ISP or routing infrastructure—intercept and modify DNS, HTTP, or SMB responses before they reach the victim. The detection focuses on three behavioral indicators: suspicious interpreter or downloader processes spawned by web browsers or Windows Update components following unencrypted HTTP connections to known update domains; HTTP connections to Microsoft update infrastructure over plaintext port 80 (which should exclusively use HTTPS/443); and DNS resolutions of trusted domains returning IP addresses outside expected authoritative ranges. Known threat activity consistent with this technique includes MoustachedBouncer injecting fake Windows Update pages to deploy malware against diplomatic targets in Belarus, and the Disco implant achieving initial access through injected DNS, HTTP, and SMB replies that redirected victims to attacker-controlled download servers."
references:
  - https://attack.mitre.org/techniques/T1659/
  - https://df00tech.com/detections/T1659
author: df00tech
date: 2026/03/20
tags:
  - attack.t1659
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legacy enterprise systems still configured to use HTTP for Windows Update (pre-WSUS TLS migration) may generate benign HTTP connections to update domains matched by the network filter
  - Corporate WSUS or SCCM proxy servers that use HTTP internally to redistribute updates will cause svchost.exe to connect to update domains over port 80 as a legitimate workflow
  - "IT automation tools (SCCM client actions, Intune management extensions, Ansible) that legitimately spawn PowerShell or cmd.exe via svchost.exe as part of managed patch workflows"
  - Developers testing HTTP client libraries or update utilities who manually trigger download cradles from a browser session within the 5-minute correlation window
level: high