Threats

T1557

Man-in-the-Middle

How MITM attacks intercept and manipulate network traffic including ARP spoofing, SSL stripping, and evil twin attacks — and what analysts do to detect them.

View on Graph

What It Is and Why Encryption Alone Does Not Stop It

  • A Man-in-the-Middle (MITM) attack occurs when an adversary positions themselves between two communicating parties, intercepting and potentially altering the traffic without either party knowing.
  • MITRE ATT&CK maps MITM to T1557 (Adversary-in-the-Middle) with sub-techniques T1557.001 (LLMNR/NBT-NS Poisoning and SMB Relay) and T1557.002 (ARP Cache Poisoning).
  • The core concept: Alice thinks she is talking directly to Bob. In reality, she is talking to the attacker, and the attacker is talking to Bob.

MITM Sub-Techniques — How Each One Works

ARP Cache Poisoning (T1557.002)

The most common MITM technique on local networks.

How it works:

  1. Attacker sends forged ARP packets to the target host, claiming that the attacker’s MAC address corresponds to the gateway IP
  2. Target’s ARP cache is updated: 192.168.1.1 → AttackerMAC
  3. All traffic from the target to the internet now goes through the attacker
  4. Attacker forwards traffic to the real gateway silently — neither side knows the interception is happening

Tools: Ettercap, Bettercap, Cain & Abel — also used in insider threat scenarios

Detection indicators:

  • Dual MAC entries in the ARP table — one IP address mapped to two different MAC addresses
  • ARP table entries for the gateway that do not match the known gateway MAC
  • A host sending ARP replies without first receiving ARP requests (gratuitous ARP from unknown hosts)
  • Rapidly changing MAC:IP mappings in ARP cache over a short period

PowerShell — check for ARP cache poisoning:

# Compare ARP table entries against known-good gateway MAC
arp -a | findstr "192.168.1.1"
# Expected: 192.168.1.1 xx-xx-xx-xx-xx-xx (single entry only)
# Suspicious: multiple IPs sharing the same MAC, or gateway MAC unknown

SPL query — detect ARP anomalies from network flow:

index=network sourcetype=arp
| stats values(MAC) as MACAddresses, dc(MAC) as UniqueMACs by IP
| where UniqueMACs > 1
| eval alert = "HIGH — ARP cache poisoning: IP " . IP . " resolves to " . UniqueMACs . " MAC addresses"
| table IP, MACAddresses, UniqueMACs, alert

LLMNR/NBT-NS Poisoning (T1557.001)

How it works:

  1. A user mistypes a hostname — fileservre instead of fileserver
  2. Windows falls back to LLMNR (Link-Local Multicast Name Resolution) or NBT-NS (NetBIOS Name Service) to resolve the name
  3. The attacker’s machine responds to the multicast query, claiming to be fileservre
  4. The user’s machine connects to the attacker, who then captures the credentials (typically NTLMv2 hash via SMB)

Detection indicators:

  • Multiple LLMNR or NBT-NS responses from a single IP for different queried names
  • The responder IP is not a DNS server
  • Failed name resolution (Event ID 9001, 9002 — DNS client events) followed by NTLM authentication to an unexpected IP

SPL query — detect LLMNR responder behavior (a common precursor to credential theft in hybrid clouds):

index=windows sourcetype=dnsserver
| search EventCode IN (9001, 9002) (DNS resolution failure)
| eval time_window = bin(_time, 60)
| join type=inner time_window, ClientIP [search index=network sourcetype=smb_auth (NTLM authentication events)
| stats values(DestinationIP) as SMB_IPs by time_window, SourceIP]
| search SMB_IPs NOT IN (known_dns_servers)
| eval alert = "HIGH — possible LLMNR poisoning: DNS failure followed by SMB auth to non-DNS server"

SSL/TLS Stripping (Relevant to API Attacks)

How it works:

  1. Attacker intercepts the initial HTTP connection before it upgrades to HTTPS
  2. Attacker strips the Upgrade-Insecure-Requests header and Strict-Transport-Security header
  3. Victim continues using HTTP to the attacker’s proxy
  4. Attacker proxies traffic to the real server over HTTPS — but the victim’s traffic is plaintext

Detection indicators:

  • Users report “This connection is not secure” warnings for sites they normally use over HTTPS
  • Inconsistent HTTPS enforcement — a site that normally redirects to HTTPS suddenly stays on HTTP
  • Missing HSTS header on a normally HSTS-enabled site

Evil Twin (Rogue Access Point)

How it works:

  1. Attacker sets up a Wi-Fi access point with the same SSID as a legitimate network
  2. Victim’s device connects to the rogue AP (stronger signal or no authentication required)
  3. All victim traffic passes through the attacker’s device

Detection indicators:

  • Two access points with the same SSID but different BSSID (MAC) visible
  • Access point with the same SSID on a different channel than the legitimate AP
  • Deauthentication frames (Wi-Fi disconnection packets) observed — attacker may be deauthing clients from the legitimate AP to force them to reconnect through the rogue AP

Detection Workflow — MITM Investigation

Step 1: Confirm the Attack Vector

SymptomLikely AttackImmediate Check
ARP table shows multiple MACs for one IPARP cache poisoningRun arp -a from multiple endpoints. Compare gateway MACs.
DNS resolution failure followed by NTLM authLLMNR/NBT-NS poisoningCheck which IP responded to the failed DNS name. Compare against known DNS servers.
HTTPS downgrade warningsSSL strippingCheck if HSTS is enforced. Check proxy for HTTP traffic that should be HTTPS.
Two APs with same SSIDEvil twinScan Wi-Fi channels (Wireshark, airodump-ng). Compare BSSIDs.

Step 2: Check the Attacker’s Position

In a L2 MITM attack (ARP poisoning, evil twin), the attacker must be on the same local network segment. Check:

  • Are any new or unexpected devices on the network?
  • Are any devices running packet capture or MITM tools (Ettercap, Wireshark in promiscuous mode)?
  • Check DHCP logs — were any new MAC addresses issued IPs recently?

Step 3: Isolate the Affected Host

ActionRationale
Disconnect the affected host from networkStops the active MITM
Capture the ARP cache before disconnectingEvidence of the poisoning (use arp -a > arp_evidence.txt)
Check the host’s hosts file (C:\Windows\System32\drivers\etc\hosts)Some MITM tools modify the hosts file as a backup persistence mechanism
Check proxy settingsAttacker may have configured the host to use a rogue proxy

Step 4: Determine Disposition

SeverityCriteriaAction
CriticalConfirmed MITM on a domain controller or admin workstation — credentials almost certainly compromisedIsolate affected hosts. Reset all credentials that transited the affected segment. Begin IR and check for follow-on C2 activity.
HighARP poisoning detected on a user segment — attacker positioned to capture user credentialsIdentify and isolate the attacker’s device. Reset credentials for affected users. Review captured traffic scope.
MediumEvil twin detected — no confirmed credential captureDisconnect the rogue AP. Inform users. Monitor for credential misuse.
LowARP cache inconsistency — transient or single eventClear ARP cache on all hosts. Monitor for 24 hours. If it recurs, escalate.

Prevention

ControlWhat It PreventsImplementation
Dynamic ARP Inspection (DAI)ARP cache poisoningConfigure on managed switches — validates ARP packets against the DHCP snooping binding table
DHCP snoopingRogue DHCP server (often paired with MITM)Configure on switches — only trusted DHCP server ports can send DHCP responses
802.1XPrevents rogue devices from connecting to the networkEnable network access control — authenticates every device before granting network access
HSTS preloadingSSL stripping on preloaded sitesSubmit domains to browser HSTS preload list
DNSSECDNS spoofing (some MITM vectors use spoofed DNS)Sign DNS zones. Enable DNSSEC validation.
Network segmentation / microsegmentationLimits the blast radius of ARP spoofingVLANs limit ARP to the local segment only
Kerberos instead of NTLMPrevents NTLM hash capture from LLMNR/NBT-NS poisoningDisable NTLM where possible. Use Kerberos-only authentication.

Sources