EXPLORE

← Back to Explore

T1557

Adversary-in-the-Middle

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of ...

LinuxmacOSNetwork DevicesWindows

32

Detections

4

Sources

3

Threat Actors

BY SOURCE

18elastic10sigma2kql2splunk_escu

PROCEDURES (26)

Brute Force3 detections

Auto-extracted: 3 detections for brute force

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Token2 detections

Auto-extracted: 2 detections for token

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Http1 detections

Auto-extracted: 1 detections for http

Remote1 detections

Auto-extracted: 1 detections for remote

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Remote1 detections

Auto-extracted: 1 detections for remote

Cloud1 detections

Auto-extracted: 1 detections for cloud

Cloud1 detections

Auto-extracted: 1 detections for cloud

Base641 detections

Auto-extracted: 1 detections for base64

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Base641 detections

Auto-extracted: 1 detections for base64

Credential1 detections

Auto-extracted: 1 detections for credential

Lateral1 detections

Auto-extracted: 1 detections for lateral

Phish1 detections

Auto-extracted: 1 detections for phish

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

Lateral1 detections

Auto-extracted: 1 detections for lateral

Phish1 detections

Auto-extracted: 1 detections for phish

Brute Force1 detections

Auto-extracted: 1 detections for brute force

Service1 detections

Auto-extracted: 1 detections for service

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Dns1 detections

Auto-extracted: 1 detections for dns

THREAT ACTORS (3)

Kimsuky Mustang Panda Sea Turtle

DETECTIONS (32)

AWS Route 53 Private Hosted Zone Associated With a VPC

Azure Sign-In With Axios User Agent

Cisco ASA - Packet Capture Activity

Cisco BGP Authentication Failures

Cisco LDP Authentication Failures

Creation of a DNS-Named Record

Creation or Modification of Root Certificate

Detect Rogue DHCP Server

DNS Global Query Block List Modified or Disabled

Google Workspace Device Registration Burst for Single User

Google Workspace User Login with Unusual ASN

Huawei BGP Authentication Failures

ISATAP Router Address Was Set

Juniper BGP Missing MD5

Notepad++ Updater DNS Query to Uncommon Domains

Potential ADIDNS Poisoning via Wildcard Record Creation

Potential Adversary in the middle Phishing

Potential Computer Account NTLM Relay Activity

Potential Kerberos Coercion via DNS-Based SPN Spoofing

Potential Kerberos Relay Attack against a Computer Account

Potential Kerberos SPN Spoofing via Suspicious DNS Query

Potential Local NTLM Relay via HTTP

Potential Machine Account Relay Attack via SMB

Potential NTLM Relay Attack against a Computer Account

Potential PowerShell Pass-the-Hash/Relay Script

Potential Suspicious Activity Using SeCEdit

Potential WPAD Spoofing via DNS Record Creation

Service Creation via Local Kerberos Authentication

Storm-0539 AiTM URLs - EmailEvents

Suspicious Child Process of Notepad++ Updater - GUP.Exe

Uncommon File Created by Notepad++ Updater Gup.EXE

WebProxy Settings Modification