T1557 Adversary-in-the-Middle Mappings

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)

Adversaries may leverage the AiTM position to attempt to modify traffic, such as in Transmitted Data Manipulation. Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
cloudvpn CloudVPN technique_scores T1557 Adversary-in-the-Middle
virtual_private_cloud Virtual Private Cloud technique_scores T1557 Adversary-in-the-Middle

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1557.002 ARP Cache Poisoning 1