Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)
Adversaries may leverage the AiTM position to attempt to modify traffic, such as in Transmitted Data Manipulation. Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| cloudvpn | CloudVPN | technique_scores | T1557 | Adversary-in-the-Middle |
| virtual_private_cloud | Virtual Private Cloud | technique_scores | T1557 | Adversary-in-the-Middle |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1557.002 | ARP Cache Poisoning | 1 |