T1557: Adversary-in-the-Middle

Adversary-in-the-Middle matters because it can turn ordinary network connectivity into a credential, token, session, or traffic-manipulation exposure. If an attacker can influence DNS, ARP, DHCP, name resolution, Wi-Fi, TLS negotiation, or similar traffic paths, they may collect information, redirect users, intercept credentials or access tokens, modify transmitted data, or disrupt traffic flows. For leaders, this is not only a network issue: it affects identity assurance, cloud/session security, SOC visibility, and the reliability of critical communications.

Executive priority

Prioritize this technique where business operations depend on trusted network paths, remote access, cloud identity sessions, Wi-Fi access, DNS integrity, or network devices. Executives should ask whether the organization can prove that sensitive traffic is encrypted, name resolution is controlled, legacy or weak protocols are reduced, and network changes are monitored. This is also relevant to audit and resilience discussions because AiTM can undermine authentication, data integrity, and incident scoping if telemetry is incomplete.

Technical view

ATT&CK lists this technique under credential access and collection across Linux, macOS, Windows, and network devices. Defensive validation should focus on whether teams can detect network and configuration anomalies associated with the related sub-techniques: Name Resolution Poisoning and SMB Relay, ARP Cache Poisoning, DHCP Spoofing, and Evil Twin. Since ATT&CK provides no official detection text for T1557, use the related detection strategy DET0296 as direction: validate visibility into network path changes, suspicious name resolution responses, unexpected DHCP behavior, ARP anomalies, Wi-Fi impersonation indicators, DNS manipulation, and TLS downgrade or weak-protocol negotiation where observable. IR teams should treat suspected AiTM as both a network investigation and an identity/session exposure assessment, especially where credentials, access tokens, or session cookies may have traversed the affected path.

Likely telemetry

DNS query/response logs, resolver configuration changes, and unexpected DNS redirection evidence
ARP table changes, duplicate IP/MAC observations, and local network switching telemetry where available
DHCP server, lease, option, and rogue DHCP indicators
LLMNR, NBT-NS, and mDNS traffic observations, especially on Windows segments
Wireless access point inventory, SSID/BSSID observations, and client association logs for Evil Twin scenarios

Detection direction

Map coverage by sub-technique rather than treating AiTM as one alert: Windows name-resolution abuse, ARP poisoning, DHCP spoofing, and Evil Twin require different sensors and baselines.
Validate that DET0296-style network and configuration anomaly detection is supported by actual telemetry, not assumed from endpoint logs alone.
Tune for environment-specific false positives such as legitimate network reconfiguration, DHCP failover, DNS migrations, proxy changes, wireless testing, or vulnerability assessments.
Correlate network anomalies with credential-access and collection outcomes, including suspicious authentication events after traffic redirection or token/session exposure concerns.
Review blind spots on unmanaged networks, guest Wi-Fi, remote sites, network devices, and segments where packet/flow visibility is limited.

Mitigation priorities

Start with encryption of sensitive information in transit and reduction of weak or deprecated protocol negotiation where feasible, aligning with M1041.
Reduce exploitable network paths through segmentation, traffic filtering, and restricted access to network resources, aligning with M1030, M1037, and M1035.
Use network intrusion prevention or detection signatures at appropriate boundaries where traffic patterns are observable, aligning with M1031.
Disable or remove unnecessary legacy features, services, or protocols that increase exposure to name-resolution, downgrade, or traffic-redirection abuse, aligning with M1042.
Include user training for reporting suspicious Wi-Fi, certificate warnings, unexpected redirects, or authentication prompts, aligning with M1017, but do not rely on training as the primary control.

Analyst notes and limits

ATT&CK relationships show use by several groups, software, and a campaign, and identify specific sub-techniques that make this behavior operationally meaningful. The most useful defensive framing is coverage validation: can the organization see and investigate manipulation of traffic direction and name resolution before it becomes credential theft, token theft, data manipulation, or disruption? Network device and identity teams should be included in tabletop and detection-engineering work because AiTM can cross traditional SOC ownership boundaries.

The supplied ATT&CK object does not include official detection text, and the relationship descriptions are not sufficient to claim local exposure, active exploitation, or guaranteed detection. This take is based only on the provided ATT&CK fields, external references, and relationships. Actual priority depends on local network architecture, wireless use, identity provider/session controls, encryption posture, sensor placement, and retained logs.

Official MITRE ATT&CK definition

Adversary-in-the-Middle

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.[1]

For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.[2][3][4] Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials, including access tokens (Steal Application Access Token) and session cookies (Steal Web Session Cookie).[5][6] Downgrade Attacks can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.[7][8][9]

Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in Transmitted Data Manipulation. Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to impair defenses and/or in support of a Network Denial of Service.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 4 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1557.003	DHCP Spoofing Sub-technique	DHCP Spoofing subtechnique of this object.
Enterprise	T1557.002	ARP Cache Poisoning Sub-technique	ARP Cache Poisoning subtechnique of this object.
Enterprise	T1557.001	Name Resolution Poisoning and SMB Relay Sub-technique	Name Resolution Poisoning and SMB Relay subtechnique of this object.
Enterprise	T1557.004	Evil Twin Sub-technique	Evil Twin subtechnique of this object.

Associated objects

Groups, software, and campaigns

G0129: Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]

G0094: Kimsuky

Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]

DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.

G1041: Sea Turtle

Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.[1][2][3][4]

S0281: Dok

Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. Adversary-in-the-Middle).[1][2][3]

macOS

S9003: evilginx2

evilginx2 is an open-source adversary-in-the-middle (AiTM) attack framework based on the open-source nginx web server. evilginx2 can be used as a reverse proxy between victims and legitimate web services to intercept and capture credentials, authentication tokens, and session cookies.[1][2][3]

IaaSIdentity ProviderOffice Suite

S1131: NPPSPY

NPPSPY is an implementation of a theoretical mechanism first presented in 2004 for capturing credentials submitted to a Windows system via a rogue Network Provider API item. NPPSPY captures credentials following submission and writes them to a file on the victim system for follow-on exfiltration.[1][2]

Windows

S1188: Line Runner

Line Runner is a persistent backdoor and web shell allowing threat actors to upload and execute arbitrary Lua scripts. Line Runner is associated with the ArcaneDoor campaign.[1][2]

Network Devices

C0046: ArcaneDoor

ArcaneDoor is a campaign targeting networking devices from Cisco and other vendors between July 2023 and April 2024, primarily focused on government and critical infrastructure networks. ArcaneDoor is associated with the deployment of the custom backdoors Line Runner and Line Dancer. ArcaneDoor is attributed to a group referred to as UAT4356 or STORM-1849, and is assessed to be a state-sponsored campaign.[1][2]

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1037: Filter Network Traffic Enterprise mitigates · Mitigation M1041: Encrypt Sensitive Information Enterprise mitigates · Mitigation M1035: Limit Access to Resource Over Network Enterprise subtechnique of · Technique T1557.003: DHCP Spoofing Enterprise uses · Malware S0281: Dok Enterprise mitigates · Mitigation M1042: Disable or Remove Feature or Program Enterprise subtechnique of · Technique T1557.002: ARP Cache Poisoning Enterprise detects · Detection Strategy DET0296: Detect Adversary-in-the-Middle via Network and Configuration Anomalies Enterprise uses · Group G0129: Mustang Panda Enterprise subtechnique of · Technique T1557.001: Name Resolution Poisoning and SMB Relay Enterprise uses · Tool S9003: evilginx2 Enterprise mitigates · Mitigation M1017: User Training Enterprise subtechnique of · Technique T1557.004: Evil Twin Enterprise uses · Group G0094: Kimsuky Enterprise mitigates · Mitigation M1031: Network Intrusion Prevention Enterprise uses · Campaign C0046: ArcaneDoor Enterprise mitigates · Mitigation M1030: Network Segmentation Enterprise uses · Tool S1131: NPPSPY Enterprise uses · Malware S1188: Line Runner Enterprise uses · Group G1041: Sea Turtle Enterprise

Mitigations

Mitigation direction

M1037: Filter Network Traffic

Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration. This mitigation can be implemented through the following measures:

Ingress Traffic Filtering:

- Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers. - Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.

Egress Traffic Filtering:

- Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications. - Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.

Protocol-Based Filtering:

- Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs. - Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.

Network Segmentation:

- Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized. - Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.

Application Layer Filtering:

- Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic. - Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.

M1041: Encrypt Sensitive Information

Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. This mitigation can be implemented through the following measures:

Encrypt Data at Rest:

- Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices. - Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.

Encrypt Data in Transit:

- Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks. - Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.

Encrypt Backups:

- Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access. - Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.

Encrypt Application Secrets:

- Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults. - Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.

Database Encryption:

- Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems. - Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.

M1035: Limit Access to Resource Over Network

Restrict access to network resources, such as file shares, remote systems, and services, to only those users, accounts, or systems with a legitimate business requirement. This can include employing technologies like network concentrators, RDP gateways, and zero-trust network access (ZTNA) models, alongside hardening services and protocols. This mitigation can be implemented through the following measures:

Audit and Restrict Access:

- Regularly audit permissions for file shares, network services, and remote access tools. - Remove unnecessary access and enforce least privilege principles for users and services. - Use Active Directory and IAM tools to restrict access based on roles and attributes.

Deploy Secure Remote Access Solutions:

- Use RDP gateways, VPN concentrators, and ZTNA solutions to aggregate and secure remote access connections. - Configure access controls to restrict connections based on time, device, and user identity. - Enforce MFA for all remote access mechanisms.

Disable Unnecessary Services:

- Identify running services using tools like netstat (Windows/Linux) or Nmap. - Disable unused services, such as Telnet, FTP, and legacy SMB, to reduce the attack surface. - Use firewall rules to block traffic on unused ports and protocols.

Network Segmentation and Isolation:

- Use VLANs, firewalls, or micro-segmentation to isolate critical network resources from general access. - Restrict communication between subnets to prevent lateral movement.

Monitor and Log Access:

- Monitor access attempts to file shares, RDP, and remote network resources using SIEM tools. - Enable auditing and logging for successful and failed attempts to access restricted resources.

*Tools for Implementation*

File Share Management:

- Microsoft Active Directory Group Policies - Samba (Linux/Unix file share management) - AccessEnum (Windows access auditing tool)

Secure Remote Access:

- Microsoft Remote Desktop Gateway - Apache Guacamole (open-source RDP/VNC gateway) - Zero Trust solutions: Tailscale, Cloudflare Zero Trust

Service and Protocol Hardening:

- Nmap or Nessus for network service discovery - Windows Group Policy Editor for disabling SMBv1, Telnet, and legacy protocols - iptables or firewalld (Linux) for blocking unnecessary traffic

Network Segmentation:

- pfSense for open-source network isolation

M1042: Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

- Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash). - Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

- Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required. - Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

- Use Case: Prevent users from installing unauthorized software via group policies or other management tools. - Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

- Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices. - Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

- Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes. - Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.

M1017: User Training

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:

Create Comprehensive Training Programs:

- Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives.

Use Simulated Exercises:

- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols.

Leverage Gamification and Engagement:

- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.

Incorporate Security Policies into Onboarding:

- Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.

Regular Refresher Courses:

- Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed.

Emphasize Real-World Scenarios:

- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks.

M1031: Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

M1030: Network Segmentation

Network segmentation involves dividing a network into smaller, isolated segments to control and limit the flow of traffic between devices, systems, and applications. By segmenting networks, organizations can reduce the attack surface, restrict lateral movement by adversaries, and protect critical assets from compromise.

Effective network segmentation leverages a combination of physical boundaries, logical separation through VLANs, and access control policies enforced by network appliances like firewalls, routers, and cloud-based configurations. This mitigation can be implemented through the following measures:

Segment Critical Systems:

- Identify and group systems based on their function, sensitivity, and risk. Examples include payment systems, HR databases, production systems, and internet-facing servers. - Use VLANs, firewalls, or routers to enforce logical separation.

Implement DMZ for Public-Facing Services:

- Host web servers, DNS servers, and email servers in a DMZ to limit their access to internal systems. - Apply strict firewall rules to filter traffic between the DMZ and internal networks.

Use Cloud-Based Segmentation:

- In cloud environments, use VPCs, subnets, and security groups to isolate applications and enforce traffic rules. - Apply AWS Transit Gateway or Azure VNet peering for controlled connectivity between cloud segments.

Apply Microsegmentation for Workloads:

- Use software-defined networking (SDN) tools to implement workload-level segmentation and prevent lateral movement.

Restrict Traffic with ACLs and Firewalls:

- Apply Access Control Lists (ACLs) to network devices to enforce "deny by default" policies. - Use firewalls to restrict both north-south (external-internal) and east-west (internal-internal) traffic.

Monitor and Audit Segmented Networks:

- Regularly review firewall rules, ACLs, and segmentation policies. - Monitor network flows for anomalies to ensure segmentation is effective.

Test Segmentation Effectiveness:

- Perform periodic penetration tests to verify that unauthorized access is blocked between network segments.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.5
Created: Feb 11, 2020, 19:07 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 0dd83b905042903e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.5	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`0dd83b905042…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Rapid7 MiTM Basics

Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March 2, 2020.
Open source URL
[2]
ttint_rat

Tu, L. Ma, Y. Ye, G. (2020, October 1). Ttint: An IoT Remote Access Trojan spread through 2 0-day vulnerabilities. Retrieved October 28, 2021.
Open source URL
[3]
dns_changer_trojans

Abendan, O. (2012, June 14). How DNS Changer Trojans Direct Users to Threats. Retrieved October 28, 2021.
Open source URL
[4]
ad_blocker_with_miner

Kuzmenko, A.. (2021, March 10). Ad blocker with miner included. Retrieved October 28, 2021.
Open source URL
[5]
volexity_0day_sophos_FW

Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022.
Open source URL
[6]
Token tactics

Microsoft Incident Response. (2022, November 16). Token tactics: How to prevent, detect, and respond to cloud token theft. Retrieved December 26, 2023.
Open source URL
[7]
mitm_tls_downgrade_att

praetorian Editorial Team. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved December 8, 2021.
Open source URL
[8]
taxonomy_downgrade_att_tls

Alashwali, E. S., Rasmussen, K. (2019, January 26). What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS. Retrieved December 7, 2021.
Open source URL
[9]
tlseminar_downgrade_att

Team Cinnamon. (2017, February 3). Downgrade Attacks. Retrieved December 9, 2021.
Open source URL
[10]
mitre-attack T1557
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams