EXPLORE

← Back to Explore

T1557

Adversary-in-the-Middle

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of ...

LinuxmacOSNetwork DevicesWindows

27

Detections

3

Sources

3

Threat Actors

BY SOURCE

16elastic9sigma2splunk_escu

PROCEDURES (18)

Network Connection Monitoring4 detections

Auto-extracted: 4 detections for network connection monitoring

Brute Force3 detections

Auto-extracted: 3 detections for brute force

Dns2 detections

Auto-extracted: 2 detections for dns

Credential2 detections

Auto-extracted: 2 detections for credential

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Service2 detections

Auto-extracted: 2 detections for service

Base641 detections

Auto-extracted: 1 detections for base64

Base641 detections

Auto-extracted: 1 detections for base64

Remote1 detections

Auto-extracted: 1 detections for remote

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Lateral1 detections

Auto-extracted: 1 detections for lateral

Remote1 detections

Auto-extracted: 1 detections for remote

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Lateral1 detections

Auto-extracted: 1 detections for lateral

Brute Force1 detections

Auto-extracted: 1 detections for brute force

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Dns1 detections

Auto-extracted: 1 detections for dns

THREAT ACTORS (3)

Kimsuky Mustang Panda Sea Turtle

DETECTIONS (27)

AWS Route 53 Private Hosted Zone Associated With a VPC

Cisco ASA - Packet Capture Activity

Cisco BGP Authentication Failures

Cisco LDP Authentication Failures

Creation of a DNS-Named Record

Creation or Modification of Root Certificate

Detect Rogue DHCP Server

DNS Global Query Block List Modified or Disabled

Huawei BGP Authentication Failures

ISATAP Router Address Was Set

Juniper BGP Missing MD5

Notepad++ Updater DNS Query to Uncommon Domains

Potential ADIDNS Poisoning via Wildcard Record Creation

Potential Computer Account NTLM Relay Activity

Potential Kerberos Coercion via DNS-Based SPN Spoofing

Potential Kerberos Relay Attack against a Computer Account

Potential Kerberos SPN Spoofing via Suspicious DNS Query

Potential Local NTLM Relay via HTTP

Potential Machine Account Relay Attack via SMB

Potential NTLM Relay Attack against a Computer Account

Potential PowerShell Pass-the-Hash/Relay Script

Potential Suspicious Activity Using SeCEdit

Potential WPAD Spoofing via DNS Record Creation

Service Creation via Local Kerberos Authentication

Suspicious Child Process of Notepad++ Updater - GUP.Exe

Uncommon File Created by Notepad++ Updater Gup.EXE

WebProxy Settings Modification