MITRE ATT&CK / T1557
T1557
Adversary-in-the-Middle
Description
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials, including access tokens ([Steal Application Access Token](https://attack.mitre.org/techniques/T1528)) and session cookies ([Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)).(Citation: volexity_0day_sophos_FW)(Citation: Token tactics) [Downgrade Attack](https://attack.mitre.org/techniques/T1689)s can also be used to establish an AiTM position, such as by negotiat…
Platforms
Mitigations
- M1037 — Filter Network Traffic
- M1041 — Encrypt Sensitive Information
- M1035 — Limit Access to Resource Over Network
- M1042 — Disable or Remove Feature or Program
- M1017 — User Training
- M1031 — Network Intrusion Prevention
- M1030 — Network Segmentation
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- Kali365 PhaaS Kit Bypasses Microsoft 365 MFA via Device Code Phishing — FBI Warning
- Adversary-in-the-Middle Phishing Campaign Hits GoDaddy ManageWP via Google Ads
- Bleeding Llama: CVE-2026-5757 Exposes 300,000 Ollama AI Servers, No Patch Available
- 2026 FIFA World Cup Scam Economy: Fake Visas, Counterfeit Tokens, Phishing
- FEMITBOT: Telegram Mini Apps Used for Crypto Scams and Android Malware Delivery
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →