Esc
Adversary-in-the-Middle - T1557
(ATT&CK® Technique)
Definition
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1557["Adversary-in-the-Middle"] --> |produces| NetworkTraffic["Network Traffic"]; class T1557 OffensiveTechniqueNode;
class NetworkTraffic ArtifactNode; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic";
click T1557 href "/offensive-technique/attack/T1557/"; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic"; T1557["Adversary-in-the-Middle"] --> |creates| DHCPNetworkTraffic["DHCP Network Traffic"]; class T1557 OffensiveTechniqueNode;
class DHCPNetworkTraffic ArtifactNode; click DHCPNetworkTraffic href "/dao/artifact/d3f:DHCPNetworkTraffic";
click T1557 href "/offensive-technique/attack/T1557/"; click DHCPNetworkTraffic href "/dao/artifact/d3f:DHCPNetworkTraffic"; T1557["Adversary-in-the-Middle"] --> |produces| IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"]; class T1557 OffensiveTechniqueNode;
class IntranetMulticastNetworkTraffic ArtifactNode; click IntranetMulticastNetworkTraffic href "/dao/artifact/d3f:IntranetMulticastNetworkTraffic";
click T1557 href "/offensive-technique/attack/T1557/"; click IntranetMulticastNetworkTraffic href "/dao/artifact/d3f:IntranetMulticastNetworkTraffic"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | DHCPNetworkTraffic["DHCP Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1557["Adversary-in-the-Middle"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class DHCPNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class IntranetMulticastNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | NetworkTraffic["Network Traffic"];
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1557["Adversary-in-the-Middle"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class IntranetMulticastNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | NetworkTraffic["Network Traffic"];
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | DHCPNetworkTraffic["DHCP Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1557["Adversary-in-the-Middle"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class DHCPNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | DHCPNetworkTraffic["DHCP Network Traffic"];
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class DHCPNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1557["Adversary-in-the-Middle"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class IntranetMulticastNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class IntranetMulticastNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | NetworkTraffic["Network Traffic"];
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | DHCPNetworkTraffic["DHCP Network Traffic"];
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class DHCPNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | NetworkTraffic["Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1557["Adversary-in-the-Middle"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | DHCPNetworkTraffic["DHCP Network Traffic"];
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class DHCPNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1557["Adversary-in-the-Middle"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class IntranetMulticastNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class IntranetMulticastNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
| analyzes | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];
ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
| may-detect | T1557["Adversary-in-the-Middle"] ;
class ConnectionAttemptAnalysis DefensiveTechniqueNode;
class IntranetMulticastNetworkTraffic ArtifactNode;
click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | DHCPNetworkTraffic["DHCP Network Traffic"];
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class DHCPNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1557["Adversary-in-the-Middle"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class IntranetMulticastNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | DHCPNetworkTraffic["DHCP Network Traffic"];
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class DHCPNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | NetworkTraffic["Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1557["Adversary-in-the-Middle"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | DHCPNetworkTraffic["DHCP Network Traffic"];
class NetworkTrafficFiltering DefensiveTechniqueNode;
class DHCPNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | IntranetMulticastNetworkTraffic["Intranet Multicast Network Traffic"];
class NetworkTrafficFiltering DefensiveTechniqueNode;
class IntranetMulticastNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";