Adversary-in-the-Middle T1557
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.
Events covered
21 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 37 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (55 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (270 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (65 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 16 rules
- Attempts of Kerberos Coercion Via DNS SPN Spoofing
- Discovery for print spooler bug abuse (NTLM hash retrivial) via named pipe
- Exchange server impersonation via PrivExchange relay attack
- HackTool - ADCSPwn Execution
- HackTool - Impacket Tools Execution
- ISATAP Router Address Was Set
- Local Privilege Escalation Indicator TabTip
- Notepad++ Updater DNS Query to Uncommon Domains
- Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
- Potential SMB Relay Attack Tool Execution
- Potential Suspicious Activity Using SeCEdit
- RottenPotato Like Attack Pattern
- Suspicious Child Process of Notepad++ Updater - GUP.Exe
- Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
- Uncommon File Created by Notepad++ Updater Gup.EXE
- WinDivert Driver Load
Elastic 13 rules
- Creation of a DNS-Named Record
- Creation or Modification of Root Certificate
- DNS Global Query Block List Modified or Disabled
- Potential ADIDNS Poisoning via Wildcard Record Creation
- Potential Computer Account NTLM Relay Activity
- Potential Kerberos Coercion via DNS-Based SPN Spoofing
- Potential Kerberos Relay Attack against a Computer Account
- Potential Kerberos SPN Spoofing via Suspicious DNS Query
- Potential Local NTLM Relay via HTTP
- Potential Machine Account Relay Attack via SMB
- Potential NTLM Relay Attack against a Computer Account
- Potential WPAD Spoofing via DNS Record Creation
- Service Creation via Local Kerberos Authentication
Splunk 6 rules
- DNS Kerberos Coercion
- Suspicious Spool Authentication (Windows Event Log)
- Windows Credential Target Information Structure in Commandline
- Windows Kerberos Coercion via DNS
- Windows Short Lived DNS Record
- Windows Theme File Creation in Unusual Location