title: Adversary-in-the-Middle (T1557)
id: df00tech-t1557
status: experimental
description: "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing (T1040), Transmitted Data Manipulation (T1565.002), or replay attacks. By abusing features of common networking protocols (ARP, DNS, LLMNR, DHCP), adversaries force devices to communicate through an adversary-controlled system to harvest credentials, session tokens, and sensitive data. Sub-techniques include LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001), ARP Cache Poisoning (T1557.002), DHCP Spoofing (T1557.003), and Evil Twin wireless attacks (T1557.004). Common attack frameworks include Responder, Bettercap, Ettercap, ntlmrelayx, mitmproxy, dnschef, and EvilGinx2. Threat groups including Kimsuky, Sea Turtle, and Mustang Panda have leveraged AiTM positioning for large-scale credential theft, session hijacking, and DNS record manipulation at service providers."
references:
  - https://attack.mitre.org/techniques/T1557/
  - https://df00tech.com/detections/T1557
author: df00tech
date: 2026/04/13
tags:
  - attack.t1557
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Network engineers using arp -s for legitimate static ARP entry management on servers or network appliances
  - "Security teams running authorized penetration tests or red team exercises using Responder, Bettercap, or Ettercap in approved lab segments"
  - IT administrators reconfiguring DNS server settings via netsh or Set-DnsClientServerAddress during planned network migrations or failover procedures
  - "Developers using mitmproxy, Burp Suite, or Charles Proxy for legitimate web application debugging, API testing, or certificate inspection"
  - DHCP server changes during authorized network infrastructure replacements causing DNS server registry updates across endpoints
level: high