ATTACK-T1659Active

Content Injection

Statement

Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems.(Citation: ESET MoustachedBouncer)

Adversaries may inject content to victim systems in various ways, including:

From the middle, where the adversary is in-between legitimate online client-server communications (Note: this is similar but distinct from Adversary-in-the-Middle, which describes AiTM activity solely within an enterprise environment) (Citation: Kaspersky Encyclopedia MiTM)
From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server (Citation: Kaspersky ManOnTheSide)

Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception."(Citation: Kaspersky ManOnTheSide)(Citation: ESET MoustachedBouncer)(Citation: EFF China GitHub Attack)

Location

Tactic: Initial Access

Technique Details

Identifier: ATTACK-T1659
ATT&CK Page: View on MITRE

Tactics

Initial AccessCommand And Control

Platforms

LinuxmacOSWindows

Detection

Detection Strategy for Content Injection

Mitigations

Restrict Web-Based Content: Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery. This mitigation can be implemented through the following measures:

Deploy Web Proxy Filtering:

Use solutions to filter web traffic based on categories, reputation, and content types.
Enforce policies that block unsafe websites or file types at the gateway level.

Enable DNS-Based Filtering:

Implement tools to restrict access to domains associated with malware or phishing campaigns.
Use public DNS filtering services to enhance protection.

Enforce Content Security Policies (CSP):

Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.

Control Browser Features:

Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting.
Enforce policies through tools like Group Policy Management to control browser settings.

Monitor and Alert on Web-Based Threats:

Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity.
Configure alerts for access attempts to blocked domains or repeated file download failures.

Encrypt Sensitive Information: Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. This mitigation can be implemented through the following measures:

Encrypt Data at Rest:

Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices.
Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.

Encrypt Data in Transit:

Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks.
Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.

Encrypt Backups:

Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access.
Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.

Encrypt Application Secrets:

Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults.
Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.

Database Encryption:

Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems.
Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.

No cross-framework mappings available

← Back to Initial Access

Statement

Adversaries may inject content to victim systems in various ways, including:

From the middle, where the adversary is in-between legitimate online client-server communications (Note: this is similar but distinct from Adversary-in-the-Middle, which describes AiTM activity solely within an enterprise environment) (Citation: Kaspersky Encyclopedia MiTM)
From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server (Citation: Kaspersky ManOnTheSide)

Deploy Web Proxy Filtering:

Use solutions to filter web traffic based on categories, reputation, and content types.
Enforce policies that block unsafe websites or file types at the gateway level.

Enable DNS-Based Filtering:

Implement tools to restrict access to domains associated with malware or phishing campaigns.
Use public DNS filtering services to enhance protection.

Enforce Content Security Policies (CSP):

Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.

Control Browser Features:

Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting.
Enforce policies through tools like Group Policy Management to control browser settings.

Monitor and Alert on Web-Based Threats:

Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity.
Configure alerts for access attempts to blocked domains or repeated file download failures.

Encrypt Data at Rest:

Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices.
Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.

Encrypt Data in Transit:

Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks.
Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.

Encrypt Backups:

Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access.
Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.

Encrypt Application Secrets:

Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults.
Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.

Database Encryption:

Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems.
Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.

Content Injection

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings0

Content Injection

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings0