Which SIEM platforms have a T1557 detection rule?

df00tech provides T1557 (Adversary-in-the-Middle) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1557 detection?

The T1557 detection is rated high severity with medium confidence.

What are common false positives for T1557?

Common false positives for T1557 include: Network engineers using arp -s for legitimate static ARP entry management on servers or network appliances; Security teams running authorized penetration tests or red team exercises using Responder, Bettercap, or Ettercap in approved lab segments; IT administrators reconfiguring DNS server settings via netsh or Set-DnsClientServerAddress during planned network migrations or failover procedures.

T1557

Adversary-in-the-Middle

Q: What data sources are required to detect Adversary-in-the-Middle (T1557)?

Detecting Adversary-in-the-Middle requires the following data sources: Process: Process Creation, Command: Command Execution, Windows Registry: Registry Key Modification, Microsoft Defender for Endpoint.

Credential Access Collection Last updated: April 13, 2026

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing (T1040), Transmitted Data Manipulation (T1565.002), or replay attacks. By abusing features of common networking protocols (ARP, DNS, LLMNR, DHCP), adversaries force devices to communicate through an adversary-controlled system to harvest credentials, session tokens, and sensitive data. Sub-techniques include LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001), ARP Cache Poisoning (T1557.002), DHCP Spoofing (T1557.003), and Evil Twin wireless attacks (T1557.004). Common attack frameworks include Responder, Bettercap, Ettercap, ntlmrelayx, mitmproxy, dnschef, and EvilGinx2. Threat groups including Kimsuky, Sea Turtle, and Mustang Panda have leveraged AiTM positioning for large-scale credential theft, session hijacking, and DNS record manipulation at service providers.

What is T1557 Adversary-in-the-Middle?

Adversary-in-the-Middle (T1557) maps to the Credential Access and Collection tactics — the adversary is trying to steal account names and passwords in MITRE ATT&CK.

This page provides production-ready detection logic for Adversary-in-the-Middle, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Windows Registry: Registry Key Modification, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Credential Access Collection
Technique: T1557 Adversary-in-the-Middle
Canonical reference: https://attack.mitre.org/techniques/T1557/

Microsoft Sentinel / Defender

kusto

let AiTMToolNames = dynamic([
  "responder.exe", "bettercap", "bettercap.exe", "ettercap", "ettercap.exe",
  "mitmproxy", "mitmdump", "mitmweb", "dnschef", "sslstrip",
  "ntlmrelayx.py", "smbrelayx.py", "multirelay.py",
  "evilginx", "evilginx2", "mitm6", "mitm6.py"
]);
let AiTMKeywords = dynamic([
  "responder", "bettercap", "ettercap", "mitmproxy", "ntlmrelayx",
  "smbrelayx", "multirelay", "dnschef", "sslstrip", "mitm6",
  "evilginx", "arpspoof", "arp-spoof", "impacket-ntlmrelayx"
]);
let ProcessDetections =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (AiTMToolNames)
    or ProcessCommandLine has_any (AiTMKeywords)
    or (FileName =~ "arp.exe" and ProcessCommandLine has "-s" and ProcessCommandLine has ".")
    or (FileName in~ ("python.exe", "python3", "python3.exe") and ProcessCommandLine has_any (AiTMKeywords))
    or (FileName =~ "netsh.exe" and ProcessCommandLine has "interface" and ProcessCommandLine has "dns" and ProcessCommandLine has "set")
    or (FileName =~ "powershell.exe" and ProcessCommandLine has "Set-DnsClientServerAddress")
| extend DetectionCategory = case(
    ProcessCommandLine has_any (["responder", "ntlmrelayx", "smbrelayx", "multirelay"]), "LLMNR_NBT_NS_Relay",
    ProcessCommandLine has_any (["bettercap", "ettercap", "arpspoof", "arp-spoof"]) or (FileName =~ "arp.exe" and ProcessCommandLine has "-s"), "ARP_Poisoning",
    ProcessCommandLine has_any (["mitmproxy", "mitmdump", "mitmweb", "sslstrip"]), "SSL_Interception",
    ProcessCommandLine has_any (["dnschef", "mitm6", "evilginx"]), "DNS_Spoofing",
    ProcessCommandLine has "Set-DnsClientServerAddress" or (FileName =~ "netsh.exe" and ProcessCommandLine has "dns"), "DNS_Config_Modification",
    "AiTM_Tool_Other"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionCategory,
    ActivityType="ProcessExecution";
let RegistryDetections =
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_all ("Tcpip", "Parameters", "Interfaces")
| where RegistryValueName in~ ("NameServer", "DhcpNameServer")
| where isnotempty(RegistryValueData) and RegistryValueData !in ("", "0.0.0.0", "fec0:0:0:ffff::1")
| extend DetectionCategory = "DNS_Server_Registry_Modification"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
    FileName=InitiatingProcessFileName,
    ProcessCommandLine=InitiatingProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    DetectionCategory, ActivityType="RegistryModification";
union ProcessDetections, RegistryDetections
| sort by Timestamp desc

Detects Adversary-in-the-Middle tool execution and network configuration manipulation using Microsoft Defender for Endpoint tables. Combines a DeviceProcessEvents query identifying known AiTM tool binaries and command-line keywords (Responder, Bettercap, Ettercap, mitmproxy, ntlmrelayx, EvilGinx2, mitm6, dnschef, sslstrip, arpspoof), suspicious ARP table manipulation via arp.exe, and DNS configuration changes via netsh or PowerShell with a DeviceRegistryEvents query detecting DNS server registry modifications under the TCP/IP interface keys. Results are categorized by AiTM sub-technique variant to assist analyst triage.

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Network engineers using arp -s for legitimate static ARP entry management on servers or network appliances
Security teams running authorized penetration tests or red team exercises using Responder, Bettercap, or Ettercap in approved lab segments
IT administrators reconfiguring DNS server settings via netsh or Set-DnsClientServerAddress during planned network migrations or failover procedures
Developers using mitmproxy, Burp Suite, or Charles Proxy for legitimate web application debugging, API testing, or certificate inspection
DHCP server changes during authorized network infrastructure replacements causing DNS server registry updates across endpoints

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval cmd_lower=lower(CommandLine)
| eval img_lower=lower(Image)
| eval IsLLMNRRelayTool=if(
    match(cmd_lower, "(responder|ntlmrelayx|smbrelayx|multirelay|impacket-ntlmrelayx)") OR
    match(img_lower, "(responder\.exe|ntlmrelayx)"),
    1, 0)
| eval IsARPPoisonTool=if(
    match(cmd_lower, "(bettercap|ettercap|arpspoof|arp\s+-s\s+\d+\.)") OR
    match(img_lower, "(bettercap\.exe|ettercap\.exe)"),
    1, 0)
| eval IsSSLInterceptTool=if(
    match(cmd_lower, "(mitmproxy|mitmdump|mitmweb|sslstrip)") OR
    match(img_lower, "(mitmproxy|mitmdump|mitmweb)"),
    1, 0)
| eval IsDNSSpoofTool=if(
    match(cmd_lower, "(dnschef|mitm6|evilginx)") OR
    match(img_lower, "(dnschef|mitm6|evilginx)"),
    1, 0)
| eval IsDNSConfigChange=if(
    match(cmd_lower, "(set-dnsclientserveraddress|netsh interface ip set dns|netsh int ip set dns)"),
    1, 0)
| eval SuspicionScore=IsLLMNRRelayTool + IsARPPoisonTool + IsSSLInterceptTool + IsDNSSpoofTool + IsDNSConfigChange
| where SuspicionScore > 0
| eval DetectionCategory=case(
    IsLLMNRRelayTool=1, "LLMNR_NBT_NS_Relay",
    IsARPPoisonTool=1, "ARP_Poisoning",
    IsSSLInterceptTool=1, "SSL_Interception",
    IsDNSSpoofTool=1, "DNS_Spoofing",
    IsDNSConfigChange=1, "DNS_Config_Modification",
    true(), "AiTM_Tool_Other"
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
    IsLLMNRRelayTool, IsARPPoisonTool, IsSSLInterceptTool, IsDNSSpoofTool, IsDNSConfigChange,
    SuspicionScore, DetectionCategory
| sort - _time

Detects Adversary-in-the-Middle tool execution using Sysmon Event ID 1 (Process Creation). Evaluates command lines and image paths against known AiTM tools including LLMNR/NBT-NS relay tools (Responder, ntlmrelayx, smbrelayx), ARP poisoning tools (Bettercap, Ettercap, arpspoof), SSL interception tools (mitmproxy, sslstrip), DNS spoofing tools (dnschef, mitm6, EvilGinx), and DNS configuration modification commands (netsh, Set-DnsClientServerAddress). Assigns a cumulative suspicion score and categorizes the detection type to guide analyst triage. Higher scores indicate multiple AiTM indicators present simultaneously.

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Network engineers using arp -s for legitimate static ARP entry management on servers or network appliances
Security teams running authorized penetration tests or red team exercises using Responder, Bettercap, or Ettercap
IT administrators reconfiguring DNS server settings via netsh or PowerShell during planned network changes
Developers using mitmproxy or similar tools for legitimate web application debugging and API inspection
Commercial network monitoring or DLP solutions that use packet interception techniques and appear under python or similar parent processes

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and (
    process.name : ("responder.exe","bettercap","bettercap.exe","ettercap","ettercap.exe","mitmproxy","mitmdump","mitmweb","dnschef","sslstrip","evilginx","evilginx2","mitm6","mitm6.py") or
    process.args : ("responder","bettercap","ettercap","mitmproxy","ntlmrelayx","smbrelayx","multirelay","dnschef","sslstrip","mitm6","evilginx","arpspoof","impacket-ntlmrelayx") or
    (process.name : ("python.exe","python3","python3.exe") and process.args : ("ntlmrelayx","smbrelayx","responder","mitm6","dnschef","evilginx")) or
    (process.name : "arp.exe" and process.args : "-s") or
    (process.name : "netsh.exe" and process.args : ("interface","dns","set")) or
    (process.name : "powershell.exe" and process.args : "Set-DnsClientServerAddress")
  )]
any where true

OR

process where event.type == "start" and (
  process.name : ("responder.exe","bettercap","bettercap.exe","ettercap","ettercap.exe","mitmproxy","mitmdump","mitmweb","dnschef","sslstrip","evilginx","evilginx2","mitm6") or
  process.command_line : ("*responder*","*ntlmrelayx*","*smbrelayx*","*multirelay*","*bettercap*","*ettercap*","*arpspoof*","*mitmproxy*","*mitmdump*","*sslstrip*","*dnschef*","*mitm6*","*evilginx*","*impacket-ntlmrelayx*","*Set-DnsClientServerAddress*") or
  (process.name : "arp.exe" and process.command_line : "* -s *") or
  (process.name : "netsh.exe" and process.command_line : ("*interface*dns*set*","*int*ip*set*dns*"))
)
| eval detection_category = case(
    process.command_line like "*responder*" or process.command_line like "*ntlmrelayx*" or process.command_line like "*smbrelayx*" or process.command_line like "*multirelay*", "LLMNR_NBT_NS_Relay",
    process.command_line like "*bettercap*" or process.command_line like "*ettercap*" or process.command_line like "*arpspoof*", "ARP_Poisoning",
    process.command_line like "*mitmproxy*" or process.command_line like "*mitmdump*" or process.command_line like "*sslstrip*", "SSL_Interception",
    process.command_line like "*dnschef*" or process.command_line like "*mitm6*" or process.command_line like "*evilginx*", "DNS_Spoofing",
    process.command_line like "*Set-DnsClientServerAddress*" or (process.name == "netsh.exe" and process.command_line like "*dns*"), "DNS_Config_Modification",
    "AiTM_Tool_Other"
  )

Detects execution of known Adversary-in-the-Middle (AiTM) tooling including Responder, Bettercap, Ettercap, mitmproxy, ntlmrelayx, dnschef, mitm6, and EvilGinx2. Also detects DNS server configuration changes via PowerShell or netsh, and static ARP cache manipulation. Covers LLMNR/NBT-NS poisoning, ARP cache poisoning, SSL interception, and DNS spoofing sub-techniques.

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent with Windows integration Sysmon via Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-* winlogbeat-*

False Positives

Network engineers using legitimate ARP utilities for network diagnostics
Security teams running authorized penetration tests with Responder or Bettercap in lab environments
DNS administrators using netsh or PowerShell cmdlets to reconfigure DNS server addresses on workstations
Python-based network tools that share naming conventions with AiTM frameworks (e.g., custom mitmproxy usage for API testing)

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPEID(devicetype) AS log_source_type,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(responder|ntlmrelayx|smbrelayx|multirelay|impacket-ntlmrelayx)' THEN 'LLMNR_NBT_NS_Relay'
    WHEN LOWER("CommandLine") MATCHES '(bettercap|ettercap|arpspoof|arp\s+-s)' THEN 'ARP_Poisoning'
    WHEN LOWER("CommandLine") MATCHES '(mitmproxy|mitmdump|mitmweb|sslstrip)' THEN 'SSL_Interception'
    WHEN LOWER("CommandLine") MATCHES '(dnschef|mitm6|evilginx)' THEN 'DNS_Spoofing'
    WHEN LOWER("CommandLine") MATCHES '(set-dnsclientserveraddress|netsh interface ip set dns|netsh int ip set dns)' THEN 'DNS_Config_Modification'
    ELSE 'AiTM_Tool_Other'
  END AS detection_category
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (
    SELECT id FROM logsourcetypes WHERE name ILIKE '%windows%' OR name ILIKE '%sysmon%' OR name ILIKE '%microsoft%'
  )
  AND starttime > NOW() - 86400000
  AND (
    LOWER("CommandLine") MATCHES '(responder|ntlmrelayx|smbrelayx|multirelay|impacket-ntlmrelayx|bettercap|ettercap|arpspoof|mitmproxy|mitmdump|mitmweb|sslstrip|dnschef|mitm6|evilginx|arp-spoof|set-dnsclientserveraddress)'
    OR LOWER("Image") MATCHES '(responder\.exe|bettercap\.exe|ettercap\.exe|mitmproxy|mitmdump|mitmweb|dnschef|evilginx|mitm6)'
    OR (
      LOWER("Image") MATCHES '(python\.exe|python3\.exe|python3)'
      AND LOWER("CommandLine") MATCHES '(ntlmrelayx|smbrelayx|responder|mitm6|dnschef|evilginx|bettercap)'
    )
    OR (
      LOWER("Image") ILIKE '%\\arp.exe'
      AND LOWER("CommandLine") MATCHES '\s-s\s'
    )
    OR (
      LOWER("Image") ILIKE '%\\netsh.exe'
      AND LOWER("CommandLine") MATCHES '(interface.*dns.*set|int.*ip.*set.*dns)'
    )
    OR (
      LOWER("Image") ILIKE '%\\powershell.exe'
      AND LOWER("CommandLine") ILIKE '%Set-DnsClientServerAddress%'
    )
  )
ORDER BY starttime DESC
LIMIT 1000

AQL query for QRadar detecting known AiTM tooling execution via process command line and image name matching. Covers Responder, Bettercap, Ettercap, mitmproxy, ntlmrelayx, dnschef, mitm6, and EvilGinx2 via Windows/Sysmon process creation events. Categorizes detections by AiTM sub-technique.

high severity medium confidence

Data Sources

QRadar Windows Security DSM QRadar Sysmon DSM Microsoft Windows Security Event Log

Required Tables

events

False Positives

Authorized red team exercises using Responder or ntlmrelayx on isolated lab segments
Network administrators reconfiguring DNS via netsh or PowerShell as part of change management
Security researchers running mitmproxy for web application testing in approved environments
Python developers using packages whose names partially match AiTM tool keywords

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Microsoft-Windows-Sysmon/Operational" OR _sourceCategory="endpoint/process")
| where EventID = 1 OR EventCode = 1
| parse field=CommandLine "*" as cmd_full nodrop
| parse field=Image "*" as image_full nodrop
| toLowerCase(cmd_full) as cmd_lower
| toLowerCase(image_full) as img_lower
| where 
    cmd_lower matches "*(responder|ntlmrelayx|smbrelayx|multirelay|impacket-ntlmrelayx|bettercap|ettercap|arpspoof|arp-spoof|mitmproxy|mitmdump|mitmweb|sslstrip|dnschef|mitm6|evilginx|set-dnsclientserveraddress)*"
    OR img_lower matches "*(responder.exe|bettercap|bettercap.exe|ettercap|ettercap.exe|mitmproxy|mitmdump|mitmweb|dnschef|evilginx|evilginx2|mitm6)*"
    OR (img_lower matches "*(python.exe|python3|python3.exe)*" AND cmd_lower matches "*(ntlmrelayx|smbrelayx|responder|mitm6|dnschef|evilginx|bettercap)*")
    OR (img_lower matches "*\\arp.exe*" AND cmd_lower matches "* -s *")
    OR (img_lower matches "*\\netsh.exe*" AND cmd_lower matches "*(interface*dns*set|int*ip*set*dns)*")
| eval IsLLMNRRelay = if(cmd_lower matches "*(responder|ntlmrelayx|smbrelayx|multirelay|impacket-ntlmrelayx)*" OR img_lower matches "*(responder.exe|ntlmrelayx)*", 1, 0)
| eval IsARPPoison = if(cmd_lower matches "*(bettercap|ettercap|arpspoof|arp\s+-s)*" OR img_lower matches "*(bettercap.exe|ettercap.exe)*", 1, 0)
| eval IsSSLIntercept = if(cmd_lower matches "*(mitmproxy|mitmdump|mitmweb|sslstrip)*" OR img_lower matches "*(mitmproxy|mitmdump|mitmweb)*", 1, 0)
| eval IsDNSSpoof = if(cmd_lower matches "*(dnschef|mitm6|evilginx)*" OR img_lower matches "*(dnschef|mitm6|evilginx)*", 1, 0)
| eval IsDNSConfig = if(cmd_lower matches "*(set-dnsclientserveraddress|netsh interface ip set dns|netsh int ip set dns)*", 1, 0)
| eval SuspicionScore = IsLLMNRRelay + IsARPPoison + IsSSLIntercept + IsDNSSpoof + IsDNSConfig
| where SuspicionScore > 0
| eval DetectionCategory = if(IsLLMNRRelay=1, "LLMNR_NBT_NS_Relay",
    if(IsARPPoison=1, "ARP_Poisoning",
    if(IsSSLIntercept=1, "SSL_Interception",
    if(IsDNSSpoof=1, "DNS_Spoofing",
    if(IsDNSConfig=1, "DNS_Config_Modification", "AiTM_Tool_Other")))))
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, IsLLMNRRelay, IsARPPoison, IsSSLIntercept, IsDNSSpoof, IsDNSConfig, SuspicionScore, DetectionCategory
| sort by _messagetime desc

Sumo Logic CQE query detecting AiTM tool execution via Sysmon process creation events. Matches known tool names and keywords for Responder, Bettercap, Ettercap, mitmproxy, ntlmrelayx, dnschef, mitm6, and EvilGinx2. Applies a suspicion score and categorizes detections by AiTM sub-technique type.

high severity high confidence

Data Sources

Sysmon for Windows (Event ID 1) Sumo Logic Windows Event Log Source Sumo Logic Installed Collector with Sysmon

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=WinEventLog/Microsoft-Windows-Sysmon/Operational

False Positives

Authorized penetration testers running Responder or ntlmrelayx during sanctioned assessments
DNS administrators using netsh or Set-DnsClientServerAddress for routine DNS reconfigurations
Security tooling that proxies traffic via mitmproxy for SSL inspection or API debugging in dev environments
Python scripts with names or arguments coincidentally matching AiTM tool keywords

Google Chronicle / SecOps

yaral

rule aitm_tool_execution_t1557 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects execution of known Adversary-in-the-Middle (AiTM) tools including Responder, Bettercap, Ettercap, mitmproxy, ntlmrelayx, dnschef, mitm6, and EvilGinx2. Also detects DNS config modification via netsh and PowerShell. Maps to MITRE ATT&CK T1557 and sub-techniques T1557.001, T1557.002, T1557.003."
    mitre_attack_tactic = "Collection, Credential Access"
    mitre_attack_technique = "T1557"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.principal.process.file.full_path, `(?i)(responder\.exe|bettercap|bettercap\.exe|ettercap|ettercap\.exe|mitmproxy|mitmdump|mitmweb|dnschef|sslstrip|evilginx|evilginx2|mitm6)`) OR
      re.regex($e.target.process.command_line, `(?i)(responder|ntlmrelayx|smbrelayx|multirelay|impacket-ntlmrelayx|bettercap|ettercap|arpspoof|arp-spoof|mitmproxy|mitmdump|mitmweb|sslstrip|dnschef|mitm6|evilginx|set-dnsclientserveraddress)`) OR
      (
        re.regex($e.principal.process.file.full_path, `(?i)(python\.exe|python3\.exe|python3)`) AND
        re.regex($e.target.process.command_line, `(?i)(ntlmrelayx|smbrelayx|responder|mitm6|dnschef|evilginx|bettercap)`)
      ) OR
      (
        re.regex($e.principal.process.file.full_path, `(?i)\\arp\.exe`) AND
        re.regex($e.target.process.command_line, `(?i)\s-s\s`)
      ) OR
      (
        re.regex($e.principal.process.file.full_path, `(?i)\\netsh\.exe`) AND
        re.regex($e.target.process.command_line, `(?i)(interface.*dns.*set|int.*ip.*set.*dns)`)
      ) OR
      (
        re.regex($e.principal.process.file.full_path, `(?i)\\powershell\.exe`) AND
        re.regex($e.target.process.command_line, `(?i)set-dnsclientserveraddress`)
      )
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting AiTM tool execution by matching process launch events against known AiTM tool names and command-line keywords using UDM field model. Covers LLMNR/NBT-NS relay, ARP poisoning, SSL interception, DNS spoofing, and DNS configuration modification attack patterns.

high severity high confidence

Data Sources

Chronicle UDM Process Launch Events Google Chronicle with Windows Event Forwarding Chronicle Endpoint Detection telemetry

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Red team operators conducting authorized adversary simulation exercises with Responder or Bettercap
Network administrators modifying DNS server settings via netsh or PowerShell during approved change windows
Security researchers using mitmproxy or sslstrip for web application security assessments
Python-based automation scripts that include argument strings matching AiTM tool names

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale (CQL) — AiTM Tool Execution Detection T1557
#event_simpleName=ProcessRollup2
| eval cmd_lower = lower(CommandLine)
| eval img_lower = lower(ImageFileName)
| eval IsLLMNRRelay = if(
    match(field=cmd_lower, regex="(responder|ntlmrelayx|smbrelayx|multirelay|impacket-ntlmrelayx)") OR
    match(field=img_lower, regex="(responder\.exe|ntlmrelayx)"),
    "1", "0")
| eval IsARPPoison = if(
    match(field=cmd_lower, regex="(bettercap|ettercap|arpspoof|arp\s+-s)") OR
    match(field=img_lower, regex="(bettercap\.exe|ettercap\.exe)"),
    "1", "0")
| eval IsSSLIntercept = if(
    match(field=cmd_lower, regex="(mitmproxy|mitmdump|mitmweb|sslstrip)") OR
    match(field=img_lower, regex="(mitmproxy|mitmdump|mitmweb)"),
    "1", "0")
| eval IsDNSSpoof = if(
    match(field=cmd_lower, regex="(dnschef|mitm6|evilginx)") OR
    match(field=img_lower, regex="(dnschef|mitm6|evilginx)"),
    "1", "0")
| eval IsDNSConfig = if(
    match(field=cmd_lower, regex="(set-dnsclientserveraddress|netsh interface ip set dns|netsh int ip set dns)"),
    "1", "0")
| eval IsPythonAiTM = if(
    match(field=img_lower, regex="(python\.exe|python3\.exe|python3)") AND
    match(field=cmd_lower, regex="(ntlmrelayx|smbrelayx|responder|mitm6|dnschef|evilginx|bettercap)"),
    "1", "0")
| eval SuspicionScore = tonumber(IsLLMNRRelay) + tonumber(IsARPPoison) + tonumber(IsSSLIntercept) + tonumber(IsDNSSpoof) + tonumber(IsDNSConfig) + tonumber(IsPythonAiTM)
| where SuspicionScore > 0
| eval DetectionCategory = case(
    IsLLMNRRelay=="1", "LLMNR_NBT_NS_Relay",
    IsARPPoison=="1", "ARP_Poisoning",
    IsSSLIntercept=="1", "SSL_Interception",
    IsDNSSpoof=="1", "DNS_Spoofing",
    IsDNSConfig=="1", "DNS_Config_Modification",
    "AiTM_Tool_Other")
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, IsLLMNRRelay, IsARPPoison, IsSSLIntercept, IsDNSSpoof, IsDNSConfig, IsPythonAiTM, SuspicionScore, DetectionCategory])
| sort(field=timestamp, order=desc)

CrowdStrike LogScale (Falcon) CQL query detecting AiTM tool execution via ProcessRollup2 events. Matches known tool names and command-line indicators for Responder, Bettercap, Ettercap, mitmproxy, ntlmrelayx, dnschef, mitm6, and EvilGinx2. Includes Python-wrapped AiTM script detection and DNS configuration modification patterns. Outputs suspicion scoring and per-category classification.

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon ProcessRollup2 telemetry CrowdStrike LogScale SIEM

Required Tables

ProcessRollup2 events via #event_simpleName

False Positives

CrowdStrike Falcon sensor telemetry from authorized red team endpoints during penetration testing engagements
Network engineers using arp.exe with -s flag for legitimate static ARP entry management
DNS administrators running netsh or Set-DnsClientServerAddress as part of approved infrastructure changes
Development teams using mitmproxy or mitmdump for HTTP/HTTPS API traffic inspection in non-production environments

Sigma rule & cross-platform mapping

The detection logic for Adversary-in-the-Middle (T1557) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1557 Sigma rules on detection.fyi

Platform-specific guides for T1557

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (10)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1ARP Static Entry Manipulation (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\arp.exe, CommandLine='arp -s 192.168.100.254 00-AA-BB-CC-DD-EE'. Security Event ID 4688 (if command-line auditing is enabled). No network events expected as this is a local table modification.
Test 2DNS Server Change via netsh (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\netsh.exe, CommandLine containing 'interface ip set dns'. Sysmon Event ID 13: Registry value set under HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}\NameServer with new value '127.0.0.1'.
Test 3DNS Server Change via PowerShell (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Set-DnsClientServerAddress'. Sysmon Event ID 13: Registry modification at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}\NameServer. PowerShell ScriptBlock Log Event ID 4104 showing the Set-DnsClientServerAddress call.
Test 4ARP Poisoning Tool Execution — arpspoof (Linux)
Expected signal: Syslog or auditd process creation event for arpspoof. On systems with Sysmon for Linux (sysmonforlinux): Event ID 1 Process Create with Image path to arpspoof binary and CommandLine '-i lo -t 127.0.0.1 127.0.0.2'. Auditd syscall records for execve with the arpspoof arguments.
Test 5mitmproxy SSL Interception Tool Invocation (Linux/macOS)
Expected signal: Process creation event for mitmproxy binary (path varies by pip install location, typically ~/.local/bin/mitmproxy or /usr/local/bin/mitmproxy). Sysmon Event ID 1 (if Sysmon for Linux deployed) with Image containing 'mitmproxy' and CommandLine '--version'. Auditd EXECVE syscall record.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1557 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0006Credential Access TA0009Collection

Adversary-in-the-Middle

What is T1557 Adversary-in-the-Middle?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1557

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Sub-techniques (4)

Related Techniques

Same Tactic: Credential Access

Popular Detections

What is T1557 Adversary-in-the-Middle?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1557

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Sub-techniques (4)

Related Techniques

Same Tactic: Credential Access

Popular Detections

Get new detections in your inbox