T1557 — Adversary-in-the-Middle

Technique

T1557

Tactics

Credential Access, Collection

MISP citations

0

KEV CVEs mapped

4

Community rules

10

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1557

MITRE description

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics) For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials, including access tokens ([Steal Application Access Token](https://attack.mitre.org/techniques/T1528)) and session cookies ([Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)).(Citation: volexity_0day_sophos_FW)(Citation: Token tactics) [Downgrade Attack](https://attack.mitre.org/techniques/T1689)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att) Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to impair defenses and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2025-31201
• CVE-2025-31200
• CVE-2022-1040
• CVE-2019-5591

Detection coverage

SigmaHQ community rules

• Azure Sign-In With Axios User Agent (threat-hunting)
• Cisco BGP Authentication Failures (core)
• Cisco LDP Authentication Failures (core)
• Huawei BGP Authentication Failures (core)
• Juniper BGP Missing MD5 (core)
• ISATAP Router Address Was Set (core)
• Notepad++ Updater DNS Query to Uncommon Domains (core)
• Uncommon File Created by Notepad++ Updater Gup.EXE (core)
• Suspicious Child Process of Notepad++ Updater - GUP.Exe (core)
• Potential Suspicious Activity Using SeCEdit (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.