Detect Adversary-in-the-Middle in Microsoft Sentinel
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing (T1040), Transmitted Data Manipulation (T1565.002), or replay attacks. By abusing features of common networking protocols (ARP, DNS, LLMNR, DHCP), adversaries force devices to communicate through an adversary-controlled system to harvest credentials, session tokens, and sensitive data. Sub-techniques include LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001), ARP Cache Poisoning (T1557.002), DHCP Spoofing (T1557.003), and Evil Twin wireless attacks (T1557.004). Common attack frameworks include Responder, Bettercap, Ettercap, ntlmrelayx, mitmproxy, dnschef, and EvilGinx2. Threat groups including Kimsuky, Sea Turtle, and Mustang Panda have leveraged AiTM positioning for large-scale credential theft, session hijacking, and DNS record manipulation at service providers.
MITRE ATT&CK
- Tactic
- Credential Access Collection
- Technique
- T1557 Adversary-in-the-Middle
- Canonical reference
- https://attack.mitre.org/techniques/T1557/
KQL Detection Query
let AiTMToolNames = dynamic([
"responder.exe", "bettercap", "bettercap.exe", "ettercap", "ettercap.exe",
"mitmproxy", "mitmdump", "mitmweb", "dnschef", "sslstrip",
"ntlmrelayx.py", "smbrelayx.py", "multirelay.py",
"evilginx", "evilginx2", "mitm6", "mitm6.py"
]);
let AiTMKeywords = dynamic([
"responder", "bettercap", "ettercap", "mitmproxy", "ntlmrelayx",
"smbrelayx", "multirelay", "dnschef", "sslstrip", "mitm6",
"evilginx", "arpspoof", "arp-spoof", "impacket-ntlmrelayx"
]);
let ProcessDetections =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (AiTMToolNames)
or ProcessCommandLine has_any (AiTMKeywords)
or (FileName =~ "arp.exe" and ProcessCommandLine has "-s" and ProcessCommandLine has ".")
or (FileName in~ ("python.exe", "python3", "python3.exe") and ProcessCommandLine has_any (AiTMKeywords))
or (FileName =~ "netsh.exe" and ProcessCommandLine has "interface" and ProcessCommandLine has "dns" and ProcessCommandLine has "set")
or (FileName =~ "powershell.exe" and ProcessCommandLine has "Set-DnsClientServerAddress")
| extend DetectionCategory = case(
ProcessCommandLine has_any (["responder", "ntlmrelayx", "smbrelayx", "multirelay"]), "LLMNR_NBT_NS_Relay",
ProcessCommandLine has_any (["bettercap", "ettercap", "arpspoof", "arp-spoof"]) or (FileName =~ "arp.exe" and ProcessCommandLine has "-s"), "ARP_Poisoning",
ProcessCommandLine has_any (["mitmproxy", "mitmdump", "mitmweb", "sslstrip"]), "SSL_Interception",
ProcessCommandLine has_any (["dnschef", "mitm6", "evilginx"]), "DNS_Spoofing",
ProcessCommandLine has "Set-DnsClientServerAddress" or (FileName =~ "netsh.exe" and ProcessCommandLine has "dns"), "DNS_Config_Modification",
"AiTM_Tool_Other"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionCategory,
ActivityType="ProcessExecution";
let RegistryDetections =
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_all ("Tcpip", "Parameters", "Interfaces")
| where RegistryValueName in~ ("NameServer", "DhcpNameServer")
| where isnotempty(RegistryValueData) and RegistryValueData !in ("", "0.0.0.0", "fec0:0:0:ffff::1")
| extend DetectionCategory = "DNS_Server_Registry_Modification"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
FileName=InitiatingProcessFileName,
ProcessCommandLine=InitiatingProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionCategory, ActivityType="RegistryModification";
union ProcessDetections, RegistryDetections
| sort by Timestamp descDetects Adversary-in-the-Middle tool execution and network configuration manipulation using Microsoft Defender for Endpoint tables. Combines a DeviceProcessEvents query identifying known AiTM tool binaries and command-line keywords (Responder, Bettercap, Ettercap, mitmproxy, ntlmrelayx, EvilGinx2, mitm6, dnschef, sslstrip, arpspoof), suspicious ARP table manipulation via arp.exe, and DNS configuration changes via netsh or PowerShell with a DeviceRegistryEvents query detecting DNS server registry modifications under the TCP/IP interface keys. Results are categorized by AiTM sub-technique variant to assist analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Network engineers using arp -s for legitimate static ARP entry management on servers or network appliances
- Security teams running authorized penetration tests or red team exercises using Responder, Bettercap, or Ettercap in approved lab segments
- IT administrators reconfiguring DNS server settings via netsh or Set-DnsClientServerAddress during planned network migrations or failover procedures
- Developers using mitmproxy, Burp Suite, or Charles Proxy for legitimate web application debugging, API testing, or certificate inspection
- DHCP server changes during authorized network infrastructure replacements causing DNS server registry updates across endpoints
Other platforms for T1557
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ARP Static Entry Manipulation (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\arp.exe, CommandLine='arp -s 192.168.100.254 00-AA-BB-CC-DD-EE'. Security Event ID 4688 (if command-line auditing is enabled). No network events expected as this is a local table modification.
- Test 2DNS Server Change via netsh (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\netsh.exe, CommandLine containing 'interface ip set dns'. Sysmon Event ID 13: Registry value set under HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}\NameServer with new value '127.0.0.1'.
- Test 3DNS Server Change via PowerShell (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Set-DnsClientServerAddress'. Sysmon Event ID 13: Registry modification at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}\NameServer. PowerShell ScriptBlock Log Event ID 4104 showing the Set-DnsClientServerAddress call.
- Test 4ARP Poisoning Tool Execution — arpspoof (Linux)
Expected signal: Syslog or auditd process creation event for arpspoof. On systems with Sysmon for Linux (sysmonforlinux): Event ID 1 Process Create with Image path to arpspoof binary and CommandLine '-i lo -t 127.0.0.1 127.0.0.2'. Auditd syscall records for execve with the arpspoof arguments.
- Test 5mitmproxy SSL Interception Tool Invocation (Linux/macOS)
Expected signal: Process creation event for mitmproxy binary (path varies by pip install location, typically ~/.local/bin/mitmproxy or /usr/local/bin/mitmproxy). Sysmon Event ID 1 (if Sysmon for Linux deployed) with Image containing 'mitmproxy' and CommandLine '--version'. Auditd EXECVE syscall record.
References (12)
- https://attack.mitre.org/techniques/T1557/
- https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/
- https://github.com/lgandx/Responder
- https://www.bettercap.org/
- https://github.com/mitmproxy/mitmproxy
- https://github.com/kgretzky/evilginx2
- https://github.com/fox-it/mitm6
- https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/
- https://blog.talosintelligence.com/sea-turtle/
- https://github.com/SecureAuthCorp/impacket/blob/master/impacket/examples/ntlmrelayx/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://learn.microsoft.com/en-us/windows-server/networking/technologies/ipam/dns-resource-record-management
Unlock Pro Content
Get the full detection package for T1557 including response playbook, investigation guide, and atomic red team tests.