T1557

Adversary-in-the-Middle

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing (T1040), Transmitted Data Manipulation (T1565.002), or replay attacks. By abusing features of common networking protocols (ARP, DNS, LLMNR, DHCP), adversaries force devices to communicate through an adversary-controlled system to harvest credentials, session tokens, and sensitive data. Sub-techniques include LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001), ARP Cache Poisoning (T1557.002), DHCP Spoofing (T1557.003), and Evil Twin wireless attacks (T1557.004). Common attack frameworks include Responder, Bettercap, Ettercap, ntlmrelayx, mitmproxy, dnschef, and EvilGinx2. Threat groups including Kimsuky, Sea Turtle, and Mustang Panda have leveraged AiTM positioning for large-scale credential theft, session hijacking, and DNS record manipulation at service providers.

Microsoft Sentinel / Defender

kusto

let AiTMToolNames = dynamic([
  "responder.exe", "bettercap", "bettercap.exe", "ettercap", "ettercap.exe",
  "mitmproxy", "mitmdump", "mitmweb", "dnschef", "sslstrip",
  "ntlmrelayx.py", "smbrelayx.py", "multirelay.py",
  "evilginx", "evilginx2", "mitm6", "mitm6.py"
]);
let AiTMKeywords = dynamic([
  "responder", "bettercap", "ettercap", "mitmproxy", "ntlmrelayx",
  "smbrelayx", "multirelay", "dnschef", "sslstrip", "mitm6",
  "evilginx", "arpspoof", "arp-spoof", "impacket-ntlmrelayx"
]);
let ProcessDetections =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (AiTMToolNames)
    or ProcessCommandLine has_any (AiTMKeywords)
    or (FileName =~ "arp.exe" and ProcessCommandLine has "-s" and ProcessCommandLine has ".")
    or (FileName in~ ("python.exe", "python3", "python3.exe") and ProcessCommandLine has_any (AiTMKeywords))
    or (FileName =~ "netsh.exe" and ProcessCommandLine has "interface" and ProcessCommandLine has "dns" and ProcessCommandLine has "set")
    or (FileName =~ "powershell.exe" and ProcessCommandLine has "Set-DnsClientServerAddress")
| extend DetectionCategory = case(
    ProcessCommandLine has_any (["responder", "ntlmrelayx", "smbrelayx", "multirelay"]), "LLMNR_NBT_NS_Relay",
    ProcessCommandLine has_any (["bettercap", "ettercap", "arpspoof", "arp-spoof"]) or (FileName =~ "arp.exe" and ProcessCommandLine has "-s"), "ARP_Poisoning",
    ProcessCommandLine has_any (["mitmproxy", "mitmdump", "mitmweb", "sslstrip"]), "SSL_Interception",
    ProcessCommandLine has_any (["dnschef", "mitm6", "evilginx"]), "DNS_Spoofing",
    ProcessCommandLine has "Set-DnsClientServerAddress" or (FileName =~ "netsh.exe" and ProcessCommandLine has "dns"), "DNS_Config_Modification",
    "AiTM_Tool_Other"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionCategory,
    ActivityType="ProcessExecution";
let RegistryDetections =
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_all ("Tcpip", "Parameters", "Interfaces")
| where RegistryValueName in~ ("NameServer", "DhcpNameServer")
| where isnotempty(RegistryValueData) and RegistryValueData !in ("", "0.0.0.0", "fec0:0:0:ffff::1")
| extend DetectionCategory = "DNS_Server_Registry_Modification"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
    FileName=InitiatingProcessFileName,
    ProcessCommandLine=InitiatingProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    DetectionCategory, ActivityType="RegistryModification";
union ProcessDetections, RegistryDetections
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Network engineers using arp -s for legitimate static ARP entry management on servers or network appliances
Security teams running authorized penetration tests or red team exercises using Responder, Bettercap, or Ettercap in approved lab segments
IT administrators reconfiguring DNS server settings via netsh or Set-DnsClientServerAddress during planned network migrations or failover procedures
Developers using mitmproxy, Burp Suite, or Charles Proxy for legitimate web application debugging, API testing, or certificate inspection
DHCP server changes during authorized network infrastructure replacements causing DNS server registry updates across endpoints

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval cmd_lower=lower(CommandLine)
| eval img_lower=lower(Image)
| eval IsLLMNRRelayTool=if(
    match(cmd_lower, "(responder|ntlmrelayx|smbrelayx|multirelay|impacket-ntlmrelayx)") OR
    match(img_lower, "(responder\.exe|ntlmrelayx)"),
    1, 0)
| eval IsARPPoisonTool=if(
    match(cmd_lower, "(bettercap|ettercap|arpspoof|arp\s+-s\s+\d+\.)") OR
    match(img_lower, "(bettercap\.exe|ettercap\.exe)"),
    1, 0)
| eval IsSSLInterceptTool=if(
    match(cmd_lower, "(mitmproxy|mitmdump|mitmweb|sslstrip)") OR
    match(img_lower, "(mitmproxy|mitmdump|mitmweb)"),
    1, 0)
| eval IsDNSSpoofTool=if(
    match(cmd_lower, "(dnschef|mitm6|evilginx)") OR
    match(img_lower, "(dnschef|mitm6|evilginx)"),
    1, 0)
| eval IsDNSConfigChange=if(
    match(cmd_lower, "(set-dnsclientserveraddress|netsh interface ip set dns|netsh int ip set dns)"),
    1, 0)
| eval SuspicionScore=IsLLMNRRelayTool + IsARPPoisonTool + IsSSLInterceptTool + IsDNSSpoofTool + IsDNSConfigChange
| where SuspicionScore > 0
| eval DetectionCategory=case(
    IsLLMNRRelayTool=1, "LLMNR_NBT_NS_Relay",
    IsARPPoisonTool=1, "ARP_Poisoning",
    IsSSLInterceptTool=1, "SSL_Interception",
    IsDNSSpoofTool=1, "DNS_Spoofing",
    IsDNSConfigChange=1, "DNS_Config_Modification",
    true(), "AiTM_Tool_Other"
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
    IsLLMNRRelayTool, IsARPPoisonTool, IsSSLInterceptTool, IsDNSSpoofTool, IsDNSConfigChange,
    SuspicionScore, DetectionCategory
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Network engineers using arp -s for legitimate static ARP entry management on servers or network appliances
Security teams running authorized penetration tests or red team exercises using Responder, Bettercap, or Ettercap
IT administrators reconfiguring DNS server settings via netsh or PowerShell during planned network changes
Developers using mitmproxy or similar tools for legitimate web application debugging and API inspection
Commercial network monitoring or DLP solutions that use packet interception techniques and appear under python or similar parent processes

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and (
    process.name : ("responder.exe","bettercap","bettercap.exe","ettercap","ettercap.exe","mitmproxy","mitmdump","mitmweb","dnschef","sslstrip","evilginx","evilginx2","mitm6","mitm6.py") or
    process.args : ("responder","bettercap","ettercap","mitmproxy","ntlmrelayx","smbrelayx","multirelay","dnschef","sslstrip","mitm6","evilginx","arpspoof","impacket-ntlmrelayx") or
    (process.name : ("python.exe","python3","python3.exe") and process.args : ("ntlmrelayx","smbrelayx","responder","mitm6","dnschef","evilginx")) or
    (process.name : "arp.exe" and process.args : "-s") or
    (process.name : "netsh.exe" and process.args : ("interface","dns","set")) or
    (process.name : "powershell.exe" and process.args : "Set-DnsClientServerAddress")
  )]
any where true

OR

process where event.type == "start" and (
  process.name : ("responder.exe","bettercap","bettercap.exe","ettercap","ettercap.exe","mitmproxy","mitmdump","mitmweb","dnschef","sslstrip","evilginx","evilginx2","mitm6") or
  process.command_line : ("*responder*","*ntlmrelayx*","*smbrelayx*","*multirelay*","*bettercap*","*ettercap*","*arpspoof*","*mitmproxy*","*mitmdump*","*sslstrip*","*dnschef*","*mitm6*","*evilginx*","*impacket-ntlmrelayx*","*Set-DnsClientServerAddress*") or
  (process.name : "arp.exe" and process.command_line : "* -s *") or
  (process.name : "netsh.exe" and process.command_line : ("*interface*dns*set*","*int*ip*set*dns*"))
)
| eval detection_category = case(
    process.command_line like "*responder*" or process.command_line like "*ntlmrelayx*" or process.command_line like "*smbrelayx*" or process.command_line like "*multirelay*", "LLMNR_NBT_NS_Relay",
    process.command_line like "*bettercap*" or process.command_line like "*ettercap*" or process.command_line like "*arpspoof*", "ARP_Poisoning",
    process.command_line like "*mitmproxy*" or process.command_line like "*mitmdump*" or process.command_line like "*sslstrip*", "SSL_Interception",
    process.command_line like "*dnschef*" or process.command_line like "*mitm6*" or process.command_line like "*evilginx*", "DNS_Spoofing",
    process.command_line like "*Set-DnsClientServerAddress*" or (process.name == "netsh.exe" and process.command_line like "*dns*"), "DNS_Config_Modification",
    "AiTM_Tool_Other"
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent with Windows integration Sysmon via Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-* winlogbeat-*

False Positives

Network engineers using legitimate ARP utilities for network diagnostics
Security teams running authorized penetration tests with Responder or Bettercap in lab environments
DNS administrators using netsh or PowerShell cmdlets to reconfigure DNS server addresses on workstations
Python-based network tools that share naming conventions with AiTM frameworks (e.g., custom mitmproxy usage for API testing)

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPEID(devicetype) AS log_source_type,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(responder|ntlmrelayx|smbrelayx|multirelay|impacket-ntlmrelayx)' THEN 'LLMNR_NBT_NS_Relay'
    WHEN LOWER("CommandLine") MATCHES '(bettercap|ettercap|arpspoof|arp\s+-s)' THEN 'ARP_Poisoning'
    WHEN LOWER("CommandLine") MATCHES '(mitmproxy|mitmdump|mitmweb|sslstrip)' THEN 'SSL_Interception'
    WHEN LOWER("CommandLine") MATCHES '(dnschef|mitm6|evilginx)' THEN 'DNS_Spoofing'
    WHEN LOWER("CommandLine") MATCHES '(set-dnsclientserveraddress|netsh interface ip set dns|netsh int ip set dns)' THEN 'DNS_Config_Modification'
    ELSE 'AiTM_Tool_Other'
  END AS detection_category
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (
    SELECT id FROM logsourcetypes WHERE name ILIKE '%windows%' OR name ILIKE '%sysmon%' OR name ILIKE '%microsoft%'
  )
  AND starttime > NOW() - 86400000
  AND (
    LOWER("CommandLine") MATCHES '(responder|ntlmrelayx|smbrelayx|multirelay|impacket-ntlmrelayx|bettercap|ettercap|arpspoof|mitmproxy|mitmdump|mitmweb|sslstrip|dnschef|mitm6|evilginx|arp-spoof|set-dnsclientserveraddress)'
    OR LOWER("Image") MATCHES '(responder\.exe|bettercap\.exe|ettercap\.exe|mitmproxy|mitmdump|mitmweb|dnschef|evilginx|mitm6)'
    OR (
      LOWER("Image") MATCHES '(python\.exe|python3\.exe|python3)'
      AND LOWER("CommandLine") MATCHES '(ntlmrelayx|smbrelayx|responder|mitm6|dnschef|evilginx|bettercap)'
    )
    OR (
      LOWER("Image") ILIKE '%\\arp.exe'
      AND LOWER("CommandLine") MATCHES '\s-s\s'
    )
    OR (
      LOWER("Image") ILIKE '%\\netsh.exe'
      AND LOWER("CommandLine") MATCHES '(interface.*dns.*set|int.*ip.*set.*dns)'
    )
    OR (
      LOWER("Image") ILIKE '%\\powershell.exe'
      AND LOWER("CommandLine") ILIKE '%Set-DnsClientServerAddress%'
    )
  )
ORDER BY starttime DESC
LIMIT 1000

high severity medium confidence

Data Sources

QRadar Windows Security DSM QRadar Sysmon DSM Microsoft Windows Security Event Log

Required Tables

events

False Positives

Authorized red team exercises using Responder or ntlmrelayx on isolated lab segments
Network administrators reconfiguring DNS via netsh or PowerShell as part of change management
Security researchers running mitmproxy for web application testing in approved environments
Python developers using packages whose names partially match AiTM tool keywords

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Microsoft-Windows-Sysmon/Operational" OR _sourceCategory="endpoint/process")
| where EventID = 1 OR EventCode = 1
| parse field=CommandLine "*" as cmd_full nodrop
| parse field=Image "*" as image_full nodrop
| toLowerCase(cmd_full) as cmd_lower
| toLowerCase(image_full) as img_lower
| where 
    cmd_lower matches "*(responder|ntlmrelayx|smbrelayx|multirelay|impacket-ntlmrelayx|bettercap|ettercap|arpspoof|arp-spoof|mitmproxy|mitmdump|mitmweb|sslstrip|dnschef|mitm6|evilginx|set-dnsclientserveraddress)*"
    OR img_lower matches "*(responder.exe|bettercap|bettercap.exe|ettercap|ettercap.exe|mitmproxy|mitmdump|mitmweb|dnschef|evilginx|evilginx2|mitm6)*"
    OR (img_lower matches "*(python.exe|python3|python3.exe)*" AND cmd_lower matches "*(ntlmrelayx|smbrelayx|responder|mitm6|dnschef|evilginx|bettercap)*")
    OR (img_lower matches "*\\arp.exe*" AND cmd_lower matches "* -s *")
    OR (img_lower matches "*\\netsh.exe*" AND cmd_lower matches "*(interface*dns*set|int*ip*set*dns)*")
| eval IsLLMNRRelay = if(cmd_lower matches "*(responder|ntlmrelayx|smbrelayx|multirelay|impacket-ntlmrelayx)*" OR img_lower matches "*(responder.exe|ntlmrelayx)*", 1, 0)
| eval IsARPPoison = if(cmd_lower matches "*(bettercap|ettercap|arpspoof|arp\s+-s)*" OR img_lower matches "*(bettercap.exe|ettercap.exe)*", 1, 0)
| eval IsSSLIntercept = if(cmd_lower matches "*(mitmproxy|mitmdump|mitmweb|sslstrip)*" OR img_lower matches "*(mitmproxy|mitmdump|mitmweb)*", 1, 0)
| eval IsDNSSpoof = if(cmd_lower matches "*(dnschef|mitm6|evilginx)*" OR img_lower matches "*(dnschef|mitm6|evilginx)*", 1, 0)
| eval IsDNSConfig = if(cmd_lower matches "*(set-dnsclientserveraddress|netsh interface ip set dns|netsh int ip set dns)*", 1, 0)
| eval SuspicionScore = IsLLMNRRelay + IsARPPoison + IsSSLIntercept + IsDNSSpoof + IsDNSConfig
| where SuspicionScore > 0
| eval DetectionCategory = if(IsLLMNRRelay=1, "LLMNR_NBT_NS_Relay",
    if(IsARPPoison=1, "ARP_Poisoning",
    if(IsSSLIntercept=1, "SSL_Interception",
    if(IsDNSSpoof=1, "DNS_Spoofing",
    if(IsDNSConfig=1, "DNS_Config_Modification", "AiTM_Tool_Other")))))
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, IsLLMNRRelay, IsARPPoison, IsSSLIntercept, IsDNSSpoof, IsDNSConfig, SuspicionScore, DetectionCategory
| sort by _messagetime desc

high severity high confidence

Data Sources

Sysmon for Windows (Event ID 1) Sumo Logic Windows Event Log Source Sumo Logic Installed Collector with Sysmon

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=WinEventLog/Microsoft-Windows-Sysmon/Operational

False Positives

Authorized penetration testers running Responder or ntlmrelayx during sanctioned assessments
DNS administrators using netsh or Set-DnsClientServerAddress for routine DNS reconfigurations
Security tooling that proxies traffic via mitmproxy for SSL inspection or API debugging in dev environments
Python scripts with names or arguments coincidentally matching AiTM tool keywords

Google Chronicle / SecOps

yaral

rule aitm_tool_execution_t1557 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects execution of known Adversary-in-the-Middle (AiTM) tools including Responder, Bettercap, Ettercap, mitmproxy, ntlmrelayx, dnschef, mitm6, and EvilGinx2. Also detects DNS config modification via netsh and PowerShell. Maps to MITRE ATT&CK T1557 and sub-techniques T1557.001, T1557.002, T1557.003."
    mitre_attack_tactic = "Collection, Credential Access"
    mitre_attack_technique = "T1557"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.principal.process.file.full_path, `(?i)(responder\.exe|bettercap|bettercap\.exe|ettercap|ettercap\.exe|mitmproxy|mitmdump|mitmweb|dnschef|sslstrip|evilginx|evilginx2|mitm6)`) OR
      re.regex($e.target.process.command_line, `(?i)(responder|ntlmrelayx|smbrelayx|multirelay|impacket-ntlmrelayx|bettercap|ettercap|arpspoof|arp-spoof|mitmproxy|mitmdump|mitmweb|sslstrip|dnschef|mitm6|evilginx|set-dnsclientserveraddress)`) OR
      (
        re.regex($e.principal.process.file.full_path, `(?i)(python\.exe|python3\.exe|python3)`) AND
        re.regex($e.target.process.command_line, `(?i)(ntlmrelayx|smbrelayx|responder|mitm6|dnschef|evilginx|bettercap)`)
      ) OR
      (
        re.regex($e.principal.process.file.full_path, `(?i)\\arp\.exe`) AND
        re.regex($e.target.process.command_line, `(?i)\s-s\s`)
      ) OR
      (
        re.regex($e.principal.process.file.full_path, `(?i)\\netsh\.exe`) AND
        re.regex($e.target.process.command_line, `(?i)(interface.*dns.*set|int.*ip.*set.*dns)`)
      ) OR
      (
        re.regex($e.principal.process.file.full_path, `(?i)\\powershell\.exe`) AND
        re.regex($e.target.process.command_line, `(?i)set-dnsclientserveraddress`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM Process Launch Events Google Chronicle with Windows Event Forwarding Chronicle Endpoint Detection telemetry

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Red team operators conducting authorized adversary simulation exercises with Responder or Bettercap
Network administrators modifying DNS server settings via netsh or PowerShell during approved change windows
Security researchers using mitmproxy or sslstrip for web application security assessments
Python-based automation scripts that include argument strings matching AiTM tool names

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale (CQL) — AiTM Tool Execution Detection T1557
#event_simpleName=ProcessRollup2
| eval cmd_lower = lower(CommandLine)
| eval img_lower = lower(ImageFileName)
| eval IsLLMNRRelay = if(
    match(field=cmd_lower, regex="(responder|ntlmrelayx|smbrelayx|multirelay|impacket-ntlmrelayx)") OR
    match(field=img_lower, regex="(responder\.exe|ntlmrelayx)"),
    "1", "0")
| eval IsARPPoison = if(
    match(field=cmd_lower, regex="(bettercap|ettercap|arpspoof|arp\s+-s)") OR
    match(field=img_lower, regex="(bettercap\.exe|ettercap\.exe)"),
    "1", "0")
| eval IsSSLIntercept = if(
    match(field=cmd_lower, regex="(mitmproxy|mitmdump|mitmweb|sslstrip)") OR
    match(field=img_lower, regex="(mitmproxy|mitmdump|mitmweb)"),
    "1", "0")
| eval IsDNSSpoof = if(
    match(field=cmd_lower, regex="(dnschef|mitm6|evilginx)") OR
    match(field=img_lower, regex="(dnschef|mitm6|evilginx)"),
    "1", "0")
| eval IsDNSConfig = if(
    match(field=cmd_lower, regex="(set-dnsclientserveraddress|netsh interface ip set dns|netsh int ip set dns)"),
    "1", "0")
| eval IsPythonAiTM = if(
    match(field=img_lower, regex="(python\.exe|python3\.exe|python3)") AND
    match(field=cmd_lower, regex="(ntlmrelayx|smbrelayx|responder|mitm6|dnschef|evilginx|bettercap)"),
    "1", "0")
| eval SuspicionScore = tonumber(IsLLMNRRelay) + tonumber(IsARPPoison) + tonumber(IsSSLIntercept) + tonumber(IsDNSSpoof) + tonumber(IsDNSConfig) + tonumber(IsPythonAiTM)
| where SuspicionScore > 0
| eval DetectionCategory = case(
    IsLLMNRRelay=="1", "LLMNR_NBT_NS_Relay",
    IsARPPoison=="1", "ARP_Poisoning",
    IsSSLIntercept=="1", "SSL_Interception",
    IsDNSSpoof=="1", "DNS_Spoofing",
    IsDNSConfig=="1", "DNS_Config_Modification",
    "AiTM_Tool_Other")
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, IsLLMNRRelay, IsARPPoison, IsSSLIntercept, IsDNSSpoof, IsDNSConfig, IsPythonAiTM, SuspicionScore, DetectionCategory])
| sort(field=timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon ProcessRollup2 telemetry CrowdStrike LogScale SIEM

Required Tables

ProcessRollup2 events via #event_simpleName

False Positives

CrowdStrike Falcon sensor telemetry from authorized red team endpoints during penetration testing engagements
Network engineers using arp.exe with -s flag for legitimate static ARP entry management
DNS administrators running netsh or Set-DnsClientServerAddress as part of approved infrastructure changes
Development teams using mitmproxy or mitmdump for HTTP/HTTPS API traffic inspection in non-production environments

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1557 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Adversary-in-the-Middle

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (4)

Same Tactic: Credential Access

Popular Detections