T1557 Sumo Logic CSE · Sumo

Detect Adversary-in-the-Middle in Sumo Logic CSE

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing (T1040), Transmitted Data Manipulation (T1565.002), or replay attacks. By abusing features of common networking protocols (ARP, DNS, LLMNR, DHCP), adversaries force devices to communicate through an adversary-controlled system to harvest credentials, session tokens, and sensitive data. Sub-techniques include LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001), ARP Cache Poisoning (T1557.002), DHCP Spoofing (T1557.003), and Evil Twin wireless attacks (T1557.004). Common attack frameworks include Responder, Bettercap, Ettercap, ntlmrelayx, mitmproxy, dnschef, and EvilGinx2. Threat groups including Kimsuky, Sea Turtle, and Mustang Panda have leveraged AiTM positioning for large-scale credential theft, session hijacking, and DNS record manipulation at service providers.

MITRE ATT&CK

Tactic
Credential Access Collection
Technique
T1557 Adversary-in-the-Middle
Canonical reference
https://attack.mitre.org/techniques/T1557/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Microsoft-Windows-Sysmon/Operational" OR _sourceCategory="endpoint/process")
| where EventID = 1 OR EventCode = 1
| parse field=CommandLine "*" as cmd_full nodrop
| parse field=Image "*" as image_full nodrop
| toLowerCase(cmd_full) as cmd_lower
| toLowerCase(image_full) as img_lower
| where 
    cmd_lower matches "*(responder|ntlmrelayx|smbrelayx|multirelay|impacket-ntlmrelayx|bettercap|ettercap|arpspoof|arp-spoof|mitmproxy|mitmdump|mitmweb|sslstrip|dnschef|mitm6|evilginx|set-dnsclientserveraddress)*"
    OR img_lower matches "*(responder.exe|bettercap|bettercap.exe|ettercap|ettercap.exe|mitmproxy|mitmdump|mitmweb|dnschef|evilginx|evilginx2|mitm6)*"
    OR (img_lower matches "*(python.exe|python3|python3.exe)*" AND cmd_lower matches "*(ntlmrelayx|smbrelayx|responder|mitm6|dnschef|evilginx|bettercap)*")
    OR (img_lower matches "*\\arp.exe*" AND cmd_lower matches "* -s *")
    OR (img_lower matches "*\\netsh.exe*" AND cmd_lower matches "*(interface*dns*set|int*ip*set*dns)*")
| eval IsLLMNRRelay = if(cmd_lower matches "*(responder|ntlmrelayx|smbrelayx|multirelay|impacket-ntlmrelayx)*" OR img_lower matches "*(responder.exe|ntlmrelayx)*", 1, 0)
| eval IsARPPoison = if(cmd_lower matches "*(bettercap|ettercap|arpspoof|arp\s+-s)*" OR img_lower matches "*(bettercap.exe|ettercap.exe)*", 1, 0)
| eval IsSSLIntercept = if(cmd_lower matches "*(mitmproxy|mitmdump|mitmweb|sslstrip)*" OR img_lower matches "*(mitmproxy|mitmdump|mitmweb)*", 1, 0)
| eval IsDNSSpoof = if(cmd_lower matches "*(dnschef|mitm6|evilginx)*" OR img_lower matches "*(dnschef|mitm6|evilginx)*", 1, 0)
| eval IsDNSConfig = if(cmd_lower matches "*(set-dnsclientserveraddress|netsh interface ip set dns|netsh int ip set dns)*", 1, 0)
| eval SuspicionScore = IsLLMNRRelay + IsARPPoison + IsSSLIntercept + IsDNSSpoof + IsDNSConfig
| where SuspicionScore > 0
| eval DetectionCategory = if(IsLLMNRRelay=1, "LLMNR_NBT_NS_Relay",
    if(IsARPPoison=1, "ARP_Poisoning",
    if(IsSSLIntercept=1, "SSL_Interception",
    if(IsDNSSpoof=1, "DNS_Spoofing",
    if(IsDNSConfig=1, "DNS_Config_Modification", "AiTM_Tool_Other")))))
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, IsLLMNRRelay, IsARPPoison, IsSSLIntercept, IsDNSSpoof, IsDNSConfig, SuspicionScore, DetectionCategory
| sort by _messagetime desc
high severity high confidence

Sumo Logic CQE query detecting AiTM tool execution via Sysmon process creation events. Matches known tool names and keywords for Responder, Bettercap, Ettercap, mitmproxy, ntlmrelayx, dnschef, mitm6, and EvilGinx2. Applies a suspicion score and categorizes detections by AiTM sub-technique type.

Data Sources

Sysmon for Windows (Event ID 1)Sumo Logic Windows Event Log SourceSumo Logic Installed Collector with Sysmon

Required Tables

_sourceCategory=windows/sysmon_sourceCategory=WinEventLog/Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Authorized penetration testers running Responder or ntlmrelayx during sanctioned assessments
  • DNS administrators using netsh or Set-DnsClientServerAddress for routine DNS reconfigurations
  • Security tooling that proxies traffic via mitmproxy for SSL inspection or API debugging in dev environments
  • Python scripts with names or arguments coincidentally matching AiTM tool keywords
Download portable Sigma rule (.yml)

Other platforms for T1557

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ARP Static Entry Manipulation (Windows)

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\arp.exe, CommandLine='arp -s 192.168.100.254 00-AA-BB-CC-DD-EE'. Security Event ID 4688 (if command-line auditing is enabled). No network events expected as this is a local table modification.

  2. Test 2DNS Server Change via netsh (Windows)

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\netsh.exe, CommandLine containing 'interface ip set dns'. Sysmon Event ID 13: Registry value set under HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}\NameServer with new value '127.0.0.1'.

  3. Test 3DNS Server Change via PowerShell (Windows)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Set-DnsClientServerAddress'. Sysmon Event ID 13: Registry modification at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}\NameServer. PowerShell ScriptBlock Log Event ID 4104 showing the Set-DnsClientServerAddress call.

  4. Test 4ARP Poisoning Tool Execution — arpspoof (Linux)

    Expected signal: Syslog or auditd process creation event for arpspoof. On systems with Sysmon for Linux (sysmonforlinux): Event ID 1 Process Create with Image path to arpspoof binary and CommandLine '-i lo -t 127.0.0.1 127.0.0.2'. Auditd syscall records for execve with the arpspoof arguments.

  5. Test 5mitmproxy SSL Interception Tool Invocation (Linux/macOS)

    Expected signal: Process creation event for mitmproxy binary (path varies by pip install location, typically ~/.local/bin/mitmproxy or /usr/local/bin/mitmproxy). Sysmon Event ID 1 (if Sysmon for Linux deployed) with Image containing 'mitmproxy' and CommandLine '--version'. Auditd EXECVE syscall record.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1557 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (4)

Related Techniques

T1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1557.002ARP Cache PoisoningT1557.003DHCP SpoofingT1557.004Evil TwinT1040Network SniffingT1565.002Transmitted Data ManipulationT1539Steal Web Session CookieT1528Steal Application Access TokenT1562.010Downgrade AttackT1110.002Password CrackingT1212Exploitation for Credential Access

Same Tactic: Credential Access

Popular Detections