EXPLORE
← Back to Explore
T1557

Adversary-in-the-Middle

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of ...

LinuxmacOSNetwork DevicesWindows
39
Detections
5
Sources
3
Threat Actors

BY SOURCE

24elastic10sigma2kql2splunk_escu1jamf_protect

PROCEDURES (31)

Brute Force3 detections

Auto-extracted: 3 detections for brute force

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Cloud2 detections

Auto-extracted: 2 detections for cloud

Remote1 detections

Auto-extracted: 1 detections for remote

Phish1 detections

Auto-extracted: 1 detections for phish

Bypass1 detections

Auto-extracted: 1 detections for bypass

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Dns1 detections

Auto-extracted: 1 detections for dns

Service1 detections

Auto-extracted: 1 detections for service

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Credential1 detections

Auto-extracted: 1 detections for credential

Lateral1 detections

Auto-extracted: 1 detections for lateral

Persist1 detections

Auto-extracted: 1 detections for persist

Brute Force1 detections

Auto-extracted: 1 detections for brute force

Phish1 detections

Auto-extracted: 1 detections for phish

Base641 detections

Auto-extracted: 1 detections for base64

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Http1 detections

Auto-extracted: 1 detections for http

Remote1 detections

Auto-extracted: 1 detections for remote

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Lateral1 detections

Auto-extracted: 1 detections for lateral

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Token1 detections

Auto-extracted: 1 detections for token

Credential1 detections

Auto-extracted: 1 detections for credential

Bypass1 detections

Auto-extracted: 1 detections for bypass

Base641 detections

Auto-extracted: 1 detections for base64

DETECTIONS (39)

AWS Route 53 Private Hosted Zone Associated With a VPC
elasticmedium
Azure Sign-In With Axios User Agent
sigmalow
Cisco ASA - Packet Capture Activity
splunk_escu
Cisco BGP Authentication Failures
sigmalow
Cisco LDP Authentication Failures
sigmalow
Creation of a DNS-Named Record
elasticlow
Creation or Modification of Root Certificate
elasticlow
Deprecated TLS Version or Weak Cipher Negotiated Externally
elasticmedium
Detect Rogue DHCP Server
splunk_escu
DNS Global Query Block List Modified or Disabled
elasticmedium
Entra ID Multiple Device Registrations by a Single User
elasticmedium
Google Workspace Device Registration Burst for Single User
elasticmedium
Google Workspace Impossible Travel Login
elastichigh
Google Workspace User Login with Unusual ASN
elasticlow
Huawei BGP Authentication Failures
sigmalow
ICMP Redirect Message from Internal Host
elastichigh
ISATAP Router Address Was Set
sigmamedium
Juniper BGP Missing MD5
sigmalow
Microsoft Entra ID Impossible Travel Sign-in
elastichigh
Mitmproxy Activity
jamf_protectinformational
Multiple DHCP Servers Responding to the Same Transaction
elastichigh
Notepad++ Updater DNS Query to Uncommon Domains
sigmamedium
Potential ADIDNS Poisoning via Wildcard Record Creation
elastichigh
Potential Adversary in the middle Phishing
kql
Potential Computer Account NTLM Relay Activity
elasticmedium
Potential Kerberos Coercion via DNS-Based SPN Spoofing
elastichigh
Potential Kerberos Relay Attack against a Computer Account
elastichigh
Potential Kerberos SPN Spoofing via Suspicious DNS Query
elastichigh
Potential Local NTLM Relay via HTTP
elastichigh
Potential Machine Account Relay Attack via SMB
elastichigh
Potential NTLM Relay Attack against a Computer Account
elastichigh
Potential PowerShell Pass-the-Hash/Relay Script
elastichigh
Potential Suspicious Activity Using SeCEdit
sigmamedium
Potential WPAD Spoofing via DNS Record Creation
elasticmedium
Service Creation via Local Kerberos Authentication
elastichigh
Storm-0539 AiTM URLs - EmailEvents
kql
Suspicious Child Process of Notepad++ Updater - GUP.Exe
sigmahigh
Uncommon File Created by Notepad++ Updater Gup.EXE
sigmahigh
WebProxy Settings Modification
elasticmedium