Threats
T1557Man-in-the-Middle
How MITM attacks intercept and manipulate network traffic including ARP spoofing, SSL stripping, and evil twin attacks — and what analysts do to detect them.
View on Graph
What It Is and Why Encryption Alone Does Not Stop It
- A Man-in-the-Middle (MITM) attack occurs when an adversary positions themselves between two communicating parties, intercepting and potentially altering the traffic without either party knowing.
- MITRE ATT&CK maps MITM to
T1557(Adversary-in-the-Middle) with sub-techniquesT1557.001(LLMNR/NBT-NS Poisoning and SMB Relay) andT1557.002(ARP Cache Poisoning). - The core concept: Alice thinks she is talking directly to Bob. In reality, she is talking to the attacker, and the attacker is talking to Bob.
MITM Sub-Techniques — How Each One Works
ARP Cache Poisoning (T1557.002)
The most common MITM technique on local networks.
How it works:
- Attacker sends forged ARP packets to the target host, claiming that the attacker’s MAC address corresponds to the gateway IP
- Target’s ARP cache is updated:
192.168.1.1 → AttackerMAC - All traffic from the target to the internet now goes through the attacker
- Attacker forwards traffic to the real gateway silently — neither side knows the interception is happening
Tools: Ettercap, Bettercap, Cain & Abel — also used in insider threat scenarios
Detection indicators:
- Dual MAC entries in the ARP table — one IP address mapped to two different MAC addresses
- ARP table entries for the gateway that do not match the known gateway MAC
- A host sending ARP replies without first receiving ARP requests (gratuitous ARP from unknown hosts)
- Rapidly changing MAC:IP mappings in ARP cache over a short period
PowerShell — check for ARP cache poisoning:
# Compare ARP table entries against known-good gateway MAC
arp -a | findstr "192.168.1.1"
# Expected: 192.168.1.1 xx-xx-xx-xx-xx-xx (single entry only)
# Suspicious: multiple IPs sharing the same MAC, or gateway MAC unknown
SPL query — detect ARP anomalies from network flow:
index=network sourcetype=arp
| stats values(MAC) as MACAddresses, dc(MAC) as UniqueMACs by IP
| where UniqueMACs > 1
| eval alert = "HIGH — ARP cache poisoning: IP " . IP . " resolves to " . UniqueMACs . " MAC addresses"
| table IP, MACAddresses, UniqueMACs, alert
LLMNR/NBT-NS Poisoning (T1557.001)
How it works:
- A user mistypes a hostname —
fileservreinstead offileserver - Windows falls back to LLMNR (Link-Local Multicast Name Resolution) or NBT-NS (NetBIOS Name Service) to resolve the name
- The attacker’s machine responds to the multicast query, claiming to be
fileservre - The user’s machine connects to the attacker, who then captures the credentials (typically NTLMv2 hash via SMB)
Detection indicators:
- Multiple LLMNR or NBT-NS responses from a single IP for different queried names
- The responder IP is not a DNS server
- Failed name resolution (Event ID 9001, 9002 — DNS client events) followed by NTLM authentication to an unexpected IP
SPL query — detect LLMNR responder behavior (a common precursor to credential theft in hybrid clouds):
index=windows sourcetype=dnsserver
| search EventCode IN (9001, 9002) (DNS resolution failure)
| eval time_window = bin(_time, 60)
| join type=inner time_window, ClientIP [search index=network sourcetype=smb_auth (NTLM authentication events)
| stats values(DestinationIP) as SMB_IPs by time_window, SourceIP]
| search SMB_IPs NOT IN (known_dns_servers)
| eval alert = "HIGH — possible LLMNR poisoning: DNS failure followed by SMB auth to non-DNS server"
SSL/TLS Stripping (Relevant to API Attacks)
How it works:
- Attacker intercepts the initial HTTP connection before it upgrades to HTTPS
- Attacker strips the
Upgrade-Insecure-Requestsheader andStrict-Transport-Securityheader - Victim continues using HTTP to the attacker’s proxy
- Attacker proxies traffic to the real server over HTTPS — but the victim’s traffic is plaintext
Detection indicators:
- Users report “This connection is not secure” warnings for sites they normally use over HTTPS
- Inconsistent HTTPS enforcement — a site that normally redirects to HTTPS suddenly stays on HTTP
- Missing HSTS header on a normally HSTS-enabled site
Evil Twin (Rogue Access Point)
How it works:
- Attacker sets up a Wi-Fi access point with the same SSID as a legitimate network
- Victim’s device connects to the rogue AP (stronger signal or no authentication required)
- All victim traffic passes through the attacker’s device
Detection indicators:
- Two access points with the same SSID but different BSSID (MAC) visible
- Access point with the same SSID on a different channel than the legitimate AP
- Deauthentication frames (Wi-Fi disconnection packets) observed — attacker may be deauthing clients from the legitimate AP to force them to reconnect through the rogue AP
Detection Workflow — MITM Investigation
Step 1: Confirm the Attack Vector
| Symptom | Likely Attack | Immediate Check |
|---|---|---|
| ARP table shows multiple MACs for one IP | ARP cache poisoning | Run arp -a from multiple endpoints. Compare gateway MACs. |
| DNS resolution failure followed by NTLM auth | LLMNR/NBT-NS poisoning | Check which IP responded to the failed DNS name. Compare against known DNS servers. |
| HTTPS downgrade warnings | SSL stripping | Check if HSTS is enforced. Check proxy for HTTP traffic that should be HTTPS. |
| Two APs with same SSID | Evil twin | Scan Wi-Fi channels (Wireshark, airodump-ng). Compare BSSIDs. |
Step 2: Check the Attacker’s Position
In a L2 MITM attack (ARP poisoning, evil twin), the attacker must be on the same local network segment. Check:
- Are any new or unexpected devices on the network?
- Are any devices running packet capture or MITM tools (Ettercap, Wireshark in promiscuous mode)?
- Check DHCP logs — were any new MAC addresses issued IPs recently?
Step 3: Isolate the Affected Host
| Action | Rationale |
|---|---|
| Disconnect the affected host from network | Stops the active MITM |
| Capture the ARP cache before disconnecting | Evidence of the poisoning (use arp -a > arp_evidence.txt) |
Check the host’s hosts file (C:\Windows\System32\drivers\etc\hosts) | Some MITM tools modify the hosts file as a backup persistence mechanism |
| Check proxy settings | Attacker may have configured the host to use a rogue proxy |
Step 4: Determine Disposition
| Severity | Criteria | Action |
|---|---|---|
| Critical | Confirmed MITM on a domain controller or admin workstation — credentials almost certainly compromised | Isolate affected hosts. Reset all credentials that transited the affected segment. Begin IR and check for follow-on C2 activity. |
| High | ARP poisoning detected on a user segment — attacker positioned to capture user credentials | Identify and isolate the attacker’s device. Reset credentials for affected users. Review captured traffic scope. |
| Medium | Evil twin detected — no confirmed credential capture | Disconnect the rogue AP. Inform users. Monitor for credential misuse. |
| Low | ARP cache inconsistency — transient or single event | Clear ARP cache on all hosts. Monitor for 24 hours. If it recurs, escalate. |
Prevention
| Control | What It Prevents | Implementation |
|---|---|---|
| Dynamic ARP Inspection (DAI) | ARP cache poisoning | Configure on managed switches — validates ARP packets against the DHCP snooping binding table |
| DHCP snooping | Rogue DHCP server (often paired with MITM) | Configure on switches — only trusted DHCP server ports can send DHCP responses |
| 802.1X | Prevents rogue devices from connecting to the network | Enable network access control — authenticates every device before granting network access |
| HSTS preloading | SSL stripping on preloaded sites | Submit domains to browser HSTS preload list |
| DNSSEC | DNS spoofing (some MITM vectors use spoofed DNS) | Sign DNS zones. Enable DNSSEC validation. |
| Network segmentation / microsegmentation | Limits the blast radius of ARP spoofing | VLANs limit ARP to the local segment only |
| Kerberos instead of NTLM | Prevents NTLM hash capture from LLMNR/NBT-NS poisoning | Disable NTLM where possible. Use Kerberos-only authentication. |
Related
- Wireless Attacks — detection and response for T1600 techniques
- Network Security Basics — detection and response for T1040, T1046 techniques
- Snort and Suricata — detection and response for T1040 techniques
- Wireshark — detection and response for T1040 techniques
