T1557 Man-in-the-Middle Mappings

Adversaries may attempt to position themselves between two or more networked devices using a man-in-the-middle (MiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)

Adversaries may leverage the MiTM position to attempt to modify traffic, such as in Transmitted Data Manipulation. Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1557 Man-in-the-Middle
AC-17 Remote Access Protects T1557 Man-in-the-Middle
AC-18 Wireless Access Protects T1557 Man-in-the-Middle
AC-19 Access Control for Mobile Devices Protects T1557 Man-in-the-Middle
AC-20 Use of External Systems Protects T1557 Man-in-the-Middle
AC-3 Access Enforcement Protects T1557 Man-in-the-Middle
AC-4 Information Flow Enforcement Protects T1557 Man-in-the-Middle
CA-7 Continuous Monitoring Protects T1557 Man-in-the-Middle
CM-2 Baseline Configuration Protects T1557 Man-in-the-Middle
CM-6 Configuration Settings Protects T1557 Man-in-the-Middle
CM-7 Least Functionality Protects T1557 Man-in-the-Middle
CM-8 System Component Inventory Protects T1557 Man-in-the-Middle
RA-5 Vulnerability Monitoring and Scanning Protects T1557 Man-in-the-Middle
SC-23 Session Authenticity Protects T1557 Man-in-the-Middle
SC-4 Information in Shared System Resources Protects T1557 Man-in-the-Middle
SC-46 Cross Domain Policy Enforcement Protects T1557 Man-in-the-Middle
SC-7 Boundary Protection Protects T1557 Man-in-the-Middle
SC-8 Transmission Confidentiality and Integrity Protects T1557 Man-in-the-Middle
SI-10 Information Input Validation Protects T1557 Man-in-the-Middle
SI-12 Information Management and Retention Protects T1557 Man-in-the-Middle
SI-15 Information Output Filtering Protects T1557 Man-in-the-Middle
SI-3 Malicious Code Protection Protects T1557 Man-in-the-Middle
SI-4 System Monitoring Protects T1557 Man-in-the-Middle
SI-7 Software, Firmware, and Information Integrity Protects T1557 Man-in-the-Middle
network_security_groups Network Security Groups technique_scores T1557 Man-in-the-Middle
azure_sentinel Azure Sentinel technique_scores T1557 Man-in-the-Middle
microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1557 Man-in-the-Middle
azure_private_link Azure Private Link technique_scores T1557 Man-in-the-Middle
azure_vpn_gateway Azure VPN Gateway technique_scores T1557 Man-in-the-Middle

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1557.002 ARP Cache Poisoning 24
T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay 19