From 53c52a2d58d6ccdbbb83a2a6ebf6594405bbd49d Mon Sep 17 00:00:00 2001 From: Wai Linn Oo Date: Mon, 20 Apr 2026 08:50:13 +0630 Subject: [PATCH] New Test T1659 (Content Injection Using MITM Proxy) (#3305) Co-authored-by: Bhavin Patel Co-authored-by: Hare Sudhan <27735081+cyberbuff@users.noreply.github.com> --- atomics/T1659/T1659.yaml | 101 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 atomics/T1659/T1659.yaml diff --git a/atomics/T1659/T1659.yaml b/atomics/T1659/T1659.yaml new file mode 100644 index 00000000..b9f31a88 --- /dev/null +++ b/atomics/T1659/T1659.yaml @@ -0,0 +1,101 @@ +attack_technique: T1659 +display_name: Content Injection +atomic_tests: + - name: MITM Proxy Injection + description: Start mitmdump and verify injected header and HTML content. + supported_platforms: + - macos + - linux + dependencies: + - description: python3 must be installed + prereq_command: | + command -v python3 + get_prereq_command: | + brew install python3 || (sudo apt-get update && sudo apt-get install -y python3) || sudo yum install -y python3 + + - description: curl must be installed + prereq_command: | + command -v curl + get_prereq_command: | + brew install curl || (sudo apt-get update && sudo apt-get install -y curl) || sudo yum install -y curl + + - description: pipx must be installed + prereq_command: | + pipx --version + get_prereq_command: | + brew install pipx || (sudo apt-get update && sudo apt-get install -y pipx) || sudo yum install -y pipx + + - description: mitmproxy must be installed + prereq_command: | + pipx list | grep mitmproxy + get_prereq_command: | + pipx install mitmproxy || brew install mitmproxy + - description: mitmdump must be running on port 8080 + prereq_command: | + lsof -i tcp:8080 | grep mitmdump + get_prereq_command: | + printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n if 'text/html' in flow.response.headers.get('content-type',''):\n flow.response.headers['X-Atomic']='T1659'\n flow.response.text = flow.response.text.replace('', '')" > /tmp/atomic_t1659_inject.py + ($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &) + sleep 5 + lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1) + executor: + name: bash + command: | + curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt + grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1) + curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html + grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1) + cleanup_command: | + rm -rf /tmp/atomic_t1659_inject.py + rm -rf /tmp/atomic_t1659.log + rm -rf /tmp/curl_out.txt + rm -rf /tmp/atomic_t1659_page.html + pkill -f mitmdump || true + + - name: MITM Proxy Injection (Windows) + description: Start mitmdump proxy with injection script in the background. + supported_platforms: + - windows + dependencies: + - description: Python must be installed + prereq_command: | + if (Get-Command python -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 } + get_prereq_command: | + winget install --id Python.Python.3 -e + + - description: curl must be installed + prereq_command: | + if (Get-Command curl.exe -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 } + get_prereq_command: | + winget install --id cURL.cURL -e + + - description: mitmproxy must be installed and in PATH + prereq_command: | + if (Get-Command mitmdump -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 } + get_prereq_command: | + python -m pip install mitmproxy + - description: mitmdump must be running on port 8080 + prereq_command: | + if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { exit 1 } + get_prereq_command: | + $code = 'ZnJvbSBtaXRtcHJveHkgaW1wb3J0IGh0dHANCmRlZiByZXNwb25zZShmbG93OiBodHRwLkhUVFBGbG93KToNCiAgICBpZiAidGV4dC9odG1sIiBpbiBmbG93LnJlc3BvbnNlLmhlYWRlcnMuZ2V0KCJjb250ZW50LXR5cGUiLCIiKToNCiAgICAgICAgZmxvdy5yZXNwb25zZS5oZWFkZXJzWyJYLUF0b21pYyJdPSJUMTY1OSINCiAgICAgICAgZmxvdy5yZXNwb25zZS50ZXh0ID0gZmxvdy5yZXNwb25zZS50ZXh0LnJlcGxhY2UoIjwvYm9keT4iLCAiPHNjcmlwdD5hbGVydCgnQXRvbWljIFQxNjU5IEluamVjdGlvbicpPC9zY3JpcHQ+PC9ib2R5PiIp' + [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($code)) | Out-File -FilePath "$env:TEMP\atomic_t1659_inject.py" -Encoding ascii + Start-Process -FilePath "mitmdump" -ArgumentList @("-s", "$env:TEMP\atomic_t1659_inject.py", "-p", "8080") -RedirectStandardOutput "$env:TEMP\atomic_t1659.log" -RedirectStandardError "$env:TEMP\atomic_t1659.log" -WindowStyle Hidden + Start-Sleep -Seconds 5 + if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { Get-Content "$env:TEMP\atomic_t1659.log"; exit 1 } + executor: + name: powershell + elevation_required: false + command: | + curl.exe -skI --proxy http://127.0.0.1:8080 http://example.com | Tee-Object -FilePath "$env:TEMP\curl_out.txt" + if (-not (Select-String -Path "$env:TEMP\curl_out.txt" -Pattern "X-Atomic")) { Write-Error "Header not found"; exit 1 } + $OutPath = "$env:TEMP\atomic_t1659_page.html" + curl.exe -sk --proxy http://127.0.0.1:8080 http://example.com | Out-File -FilePath $OutPath -Encoding utf8 + $Content = Get-Content -Path $OutPath -Raw + if ($Content -notmatch "Atomic T1659 Injection") { exit 1 } + cleanup_command: | + Stop-Process -Name "mitmdump" -ErrorAction SilentlyContinue + Remove-Item "$env:TEMP\atomic_t1659_inject.py" -ErrorAction SilentlyContinue + Remove-Item "$env:TEMP\atomic_t1659.log" -ErrorAction SilentlyContinue + Remove-Item "$env:TEMP\curl_out.txt" -ErrorAction SilentlyContinue + Remove-Item "$env:TEMP\atomic_t1659_page.html" -ErrorAction SilentlyContinue