Adversary-in-the-Middle T1557
Tactics: Credential Access, Collection
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.
Events covered
23 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 61 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (90 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (398 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (66 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 23 rules
- Attempts of Kerberos Coercion Via DNS SPN Spoofing
- Azure Sign-In With Axios User Agent
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Discovery for print spooler bug abuse (NTLM hash retrivial) via named pipe
- Exchange server impersonation via PrivExchange relay attack
- HackTool - ADCSPwn Execution
- HackTool - Impacket Tools Execution
- Huawei BGP Authentication Failures
- ISATAP Router Address Was Set
- Juniper BGP Missing MD5
- Local Privilege Escalation Indicator TabTip
- Notepad++ Updater DNS Query to Uncommon Domains
- Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
- Potential PetitPotam Attack Via EFS RPC Calls
- Potential SMB Relay Attack Tool Execution
- Potential Suspicious Activity Using SeCEdit
- RottenPotato Like Attack Pattern
- Suspicious Child Process of Notepad++ Updater - GUP.Exe
- Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
- Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
- Uncommon File Created by Notepad++ Updater Gup.EXE
- WinDivert Driver Load
Elastic 19 rules
- AWS Route 53 Private Hosted Zone Associated With a VPC
- Creation of a DNS-Named Record
- Creation or Modification of Root Certificate
- DNS Global Query Block List Modified or Disabled
- Google Workspace Device Registration Burst for Single User
- Google Workspace Login Flagged Suspicious
- Google Workspace User Login with Unusual ASN
- Potential ADIDNS Poisoning via Wildcard Record Creation
- Potential Computer Account NTLM Relay Activity
- Potential Kerberos Coercion via DNS-Based SPN Spoofing
- Potential Kerberos Relay Attack against a Computer Account
- Potential Kerberos SPN Spoofing via Suspicious DNS Query
- Potential Local NTLM Relay via HTTP
- Potential Machine Account Relay Attack via SMB
- Potential NTLM Relay Attack against a Computer Account
- Potential PowerShell Pass-the-Hash/Relay Script
- Potential WPAD Spoofing via DNS Record Creation
- Service Creation via Local Kerberos Authentication
- WebProxy Settings Modification
Splunk 11 rules
- Cisco ASA - Packet Capture Activity
- Detect ARP Poisoning
- Detect IPv6 Network Infrastructure Threats
- Detect Port Security Violation
- Detect Rogue DHCP Server
- DNS Kerberos Coercion
- Suspicious Spool Authentication (Windows Event Log)
- Windows Credential Target Information Structure in Commandline
- Windows Kerberos Coercion via DNS
- Windows Short Lived DNS Record
- Windows Theme File Creation in Unusual Location
Kusto 8 rules
- A host is potentially running a hacking tool (ASIM Web Session schema)
- Cisco Cloud Security - Hack Tool User-Agent Detected
- Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
- GCP Security Command Center - Detect DNSSEC disabled for DNS zones
- NTLM Relay Attack
- Possible AiTM Phishing Attempt Against Microsoft Entra ID
- Powershell Empire Cmdlets Executed in Command Line
- Unauthorized user access across AWS and Azure