1. Home
  2. ATT&CK Techniques
  3. T1557 Man-in-the-Middle

T1557 Man-in-the-Middle Mappings

Adversaries may attempt to position themselves between two or more networked devices using a man-in-the-middle (MiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)

Adversaries may leverage the MiTM position to attempt to modify traffic, such as in Transmitted Data Manipulation. Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-16 Security and Privacy Attributes Protects T1557 Man-in-the-Middle
AC-17 Remote Access Protects T1557 Man-in-the-Middle
AC-18 Wireless Access Protects T1557 Man-in-the-Middle
AC-19 Access Control for Mobile Devices Protects T1557 Man-in-the-Middle
AC-20 Use of External Systems Protects T1557 Man-in-the-Middle
AC-3 Access Enforcement Protects T1557 Man-in-the-Middle
AC-4 Information Flow Enforcement Protects T1557 Man-in-the-Middle
CA-7 Continuous Monitoring Protects T1557 Man-in-the-Middle
CM-2 Baseline Configuration Protects T1557 Man-in-the-Middle
CM-6 Configuration Settings Protects T1557 Man-in-the-Middle
CM-7 Least Functionality Protects T1557 Man-in-the-Middle
CM-8 System Component Inventory Protects T1557 Man-in-the-Middle
RA-5 Vulnerability Monitoring and Scanning Protects T1557 Man-in-the-Middle
SC-23 Session Authenticity Protects T1557 Man-in-the-Middle
SC-4 Information in Shared System Resources Protects T1557 Man-in-the-Middle
SC-46 Cross Domain Policy Enforcement Protects T1557 Man-in-the-Middle
SC-7 Boundary Protection Protects T1557 Man-in-the-Middle
SC-8 Transmission Confidentiality and Integrity Protects T1557 Man-in-the-Middle
SI-10 Information Input Validation Protects T1557 Man-in-the-Middle
SI-12 Information Management and Retention Protects T1557 Man-in-the-Middle
SI-15 Information Output Filtering Protects T1557 Man-in-the-Middle
SI-3 Malicious Code Protection Protects T1557 Man-in-the-Middle
SI-4 System Monitoring Protects T1557 Man-in-the-Middle
SI-7 Software, Firmware, and Information Integrity Protects T1557 Man-in-the-Middle

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
network_security_groups Network Security Groups technique_scores T1557 Man-in-the-Middle
Comments
This control can be used to limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce MiTM conditions.
References
  1. https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening
azure_sentinel Azure Sentinel technique_scores T1557 Man-in-the-Middle
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
  1. https://docs.microsoft.com/en-us/azure/sentinel/overview
  2. https://docs.microsoft.com/en-us/azure/sentinel/hunting
microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1557 Man-in-the-Middle
Comments
This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the other, resulting in an overall Minimal score.
References
  1. https://docs.microsoft.com/en-us/defender-for-identity/what-is
azure_private_link Azure Private Link technique_scores T1557 Man-in-the-Middle
Comments
This control provides partial protection for this technique's sub-techniques resulting in an overall Partial score.
References
  1. https://docs.microsoft.com/azure/private-link/private-link-overview
azure_vpn_gateway Azure VPN Gateway technique_scores T1557 Man-in-the-Middle
Comments
This control can mitigate Man-in-the-Middle attacks that manipulate network protocol data in transit.
References
  1. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1557.002 ARP Cache Poisoning 24
T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay 19