T1557 Adversary-in-the-Middle Mappings

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)

For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) Downgrade Attacks can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)

Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in Transmitted Data Manipulation. Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to Impair Defenses and/or in support of a Network Denial of Service.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1557 Adversary-in-the-Middle
AC-17 Remote Access Protects T1557 Adversary-in-the-Middle
AC-18 Wireless Access Protects T1557 Adversary-in-the-Middle
AC-19 Access Control for Mobile Devices Protects T1557 Adversary-in-the-Middle
AC-20 Use of External Systems Protects T1557 Adversary-in-the-Middle
AC-03 Access Enforcement Protects T1557 Adversary-in-the-Middle
AC-04 Information Flow Enforcement Protects T1557 Adversary-in-the-Middle
CA-07 Continuous Monitoring Protects T1557 Adversary-in-the-Middle
CM-02 Baseline Configuration Protects T1557 Adversary-in-the-Middle
CM-06 Configuration Settings Protects T1557 Adversary-in-the-Middle
CM-07 Least Functionality Protects T1557 Adversary-in-the-Middle
CM-08 System Component Inventory Protects T1557 Adversary-in-the-Middle
RA-05 Vulnerability Monitoring and Scanning Protects T1557 Adversary-in-the-Middle
SC-23 Session Authenticity Protects T1557 Adversary-in-the-Middle
SC-04 Information in Shared System Resources Protects T1557 Adversary-in-the-Middle
SC-46 Cross Domain Policy Enforcement Protects T1557 Adversary-in-the-Middle
SC-07 Boundary Protection Protects T1557 Adversary-in-the-Middle
SC-08 Transmission Confidentiality and Integrity Protects T1557 Adversary-in-the-Middle
SI-10 Information Input Validation Protects T1557 Adversary-in-the-Middle
SI-12 Information Management and Retention Protects T1557 Adversary-in-the-Middle
SI-15 Information Output Filtering Protects T1557 Adversary-in-the-Middle
SI-03 Malicious Code Protection Protects T1557 Adversary-in-the-Middle
SI-04 System Monitoring Protects T1557 Adversary-in-the-Middle
SI-07 Software, Firmware, and Information Integrity Protects T1557 Adversary-in-the-Middle
DEF-SECA-E3 Security Alerts Technique Scores T1557 Adversary-in-the-Middle

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1557.003 DHCP Spoofing 15
T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay 16
T1557.002 ARP Cache Poisoning 22