Adversary-in-the-Middle T1557

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.

Events covered

21 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 37 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (55 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine7contains 7, ends_with 1, match 1 --adcs , --port , /ntlm:ntlmhash , ntlmrelay, smbrelay
src_ip7ne 4, eq 2, cidr_match 1::1, 127.0.0.1, %exchange_server_ips%, 127.0.0.0/8, ::
Image6ends_with 5, contains 2\gup.exe, \atexec_windows.exe, \cmd.exe, \cscript.exe, \dcomexec_windows.exe
LogonType6eq 6Network
AuthenticationPackageName5eq 5NTLM, Kerberos
ObjectDN5contains 2, starts_with 2, wildcard 1*UWhRC*BAAAA*MicrosoftDNS*, 1uwhrca, DC=*,, DC=wpad,, aaaaa
EventID4eq 45136, 5137, 4624, 4662, 4688
ObjectClass4eq 4dnsNode
user4ends_with 4, ne 1$
AdditionalInfo3contains 2, wildcard 1*UWhRC*BAAAA*MicrosoftDNS*, 1uwhrca, aaaaa, baaaa, cn=microsoftdns
event.type3eq 3change, start
Channel2eq 2, in 2
Provider_Name2eq 2Microsoft-Windows-DistributedCOM, Microsoft-Windows-Iphlpsvc
QueryName2contains 1, ends_with 1, eq 1.azurewebsites.net, .githubusercontent.com, .googleapis.com, baaaa, uwhrca
TargetFilename2contains 1, in 1, starts_with 1*\\desktop\\*, *\\documents\\*, *\\downloads\\*, .exe, .installer.

Top indicator values (270 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
LogonTypeeq
Network
639
ObjectClasseq
dnsNode
45
src_ipne
127.0.0.1
421
src_ipne
::1
421
userends_with
$
45
AuthenticationPackageNameeq
NTLM
39
AuthenticationPackageNameeq
Kerberos
26
EventIDeq
5136
229
EventIDeq
5137
25
Imagecontains
\ntlmrelayx
23
Imagecontains
\smbrelayx
23
Imageends_with
\gup.exe
25
computer_namestarts_with
substring(user.name, 0, -1)
22
event.typeeq
change
246
file.nameeq
FssagentRpc
22
file.nameeq
Spoolss
22
file.nameeq
WinsPipe
22
file.nameeq
dhcpserver
22
file.nameeq
dnsserver
22
file.nameeq
efsrpc
22
file.nameeq
eventlog
22
file.nameeq
lsarpc
22
file.nameeq
lsass
22
file.nameeq
netdfs
22
file.nameeq
netlogon
22
file.nameeq
samr
22
file.nameeq
srvsvc
22
file.nameeq
winreg
22
process_nameeq
rundll32.exe
255
AccessMaskeq
1180063
1

Exclusions (65 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
src_ipends_with
host.ip
4
computer_namestarts_with
substring(user.name, 0, -1)
2
EventDatacontains
gc_service.exe
1
EventDatacontains
gc_worker.exe
1
Imagecontains
hotpotatoes
1
Imagecontains
hotpotatoes6
1
Imagecontains
hotpotatoes7
1
Imagewildcard
?:\program files (x86)\*.exe
1
Imagewildcard
?:\program files\*.exe
1
Imagewildcard
?:\programdata\bomgar-*\*\bomgar-scc.exe
1
Imagewildcard
?:\programdata\bomgar-*\*\sra-pin.exe
1
Imagewildcard
?:\programdata\ctes\components\sng\abtsngsvc.exe
1
Imagewildcard
?:\programdata\ctes\components\svc\cteshostsvc.exe
1
Imagewildcard
?:\programdata\ctes\ctes.exe
1
Imagewildcard
?:\programdata\lenovo\vantage\addins\lenovohardwarescanaddin\*\ldeapi.server.exe
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 16 rules

Elastic 13 rules

Splunk 6 rules

Kusto 2 rules