PT Application Firewall

A web application firewall

T1659: Content Injection

Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems.

Adversaries may inject content to victim systems in various ways, including:

  • From the middle, where the adversary is in-between legitimate online client-server communications (Note: this is similar but distinct from Adversary-in-the-Middle, which describes AiTM activity solely within an enterprise environment)
  • From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server

Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception."

Positive Technologies products that cover the technique

Detection

Detection

IDDS0029Data source and componentNetwork Traffic: Network Traffic ContentDescription

Monitor for other unusual network traffic that may indicate additional malicious content transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious payloads, content obfuscation, and exploit code.

IDDS0009Data source and componentProcess: Process CreationDescription

Look for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, or evidence of Discovery.

IDDS0022Data source and componentFile: File CreationDescription

Monitor for unexpected and abnormal file creations that may indicate malicious content injected through online network communications.

Mitigation

IDM1021NameRestrict Web-Based ContentDescription

Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns.

IDM1041NameEncrypt Sensitive InformationDescription

Where possible, ensure that online traffic is appropriately encrypted through services such as trusted VPNs.