Content Injection
Key Points:
Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic.
Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception."
Look for file creation events for suspicious files (Event ID 4663).
Look for process creation events for suspicious processes (Event ID 4668)
Look for suspicious network traffic.
Adversaries can access and communicate with victims by injecting malicious content into online traffic, either in the middle of client-server communications or as fake responses to legitimate server requests. This often exploits compromised ISP channels, enabling further payload deliveries to compromised systems.
Detection
File Creation
Monitor for unexpected and abnormal file creations that may indicate malicious content injected through online network communications.
Example: An unexpected executable file created in the user's AppData folder.
Windows Event Log: Event ID 4663 in the Security log (An attempt was made to access an object).
Windows Event 4663 example:
This log entry indicates an attempt to access (write or create) a file.
Security ID,Account Name, andAccount Domain- identify the user account involved.Object Name- points to the file path, here indicating a potentially suspicious executable in the Temp folder.Process Information- shows the process that attempted the file creation, in this case,cmd.exe, which is notable as command-line tools can be used in attacks.Accesses:WriteData- For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (FILE_ADD_FILE).AddFile- For a directory, the right to create a file in the directory.
Process Creation
Example: A browser process creating unexpected child processes or executable files.
Windows Event Log: Event ID 4688 in the Security log (A new process has been created).
Windows Event ID 4688 example:
This log records the creation of a new process.
Security IDand related fields again provide account information.New Process IDandNamedetail the process started, hereiexplore.exe, Internet Explorer.Creator Process IDandNameindicate the initiating process, in this case,Explorer.exe.Process Command Linegives the command used to start the process, which can reveal whether additional, potentially malicious, parameters were used.
Network Traffic Content
Example: Unusual outbound traffic to unknown domains or IP addresses.
Windows Event Log: No direct Windows Event Log; typically monitored using network traffic analysis tools.
If an EDR solution is in place, reference the file/process creations with outbound network connections or DNS requests.
Mitigation
Restrict Web-Based Content
Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns.
Executable files (.exe, .dll, .scr, .bat, .ps1).
Script files (.vbs, .js).
Office documents with macros (.docm, .xlsm).
Compressed files (.zip, .rar).
Portable Executable (PE).
Dynamic link library files (.dll).
Encrypt Sensitive Information
Where possible, ensure that online traffic is appropriately encrypted through services such as trusted VPNs.
Use HTTPS Protocols: Ensure websites use HTTPS to encrypt data in transit. This is crucial for any site handling sensitive information.
Encrypt Database Information: Use encryption for data at rest, especially for databases storing sensitive information.
Email Encryption: Implement email encryption solutions for sensitive communications.
File Encryption: Encourage the use of encrypted file formats, especially for documents containing personal or confidential data.
Training and Policies: Regularly train staff on the importance of encryption and establish clear policies for handling sensitive data.
Last updated
Was this helpful?