cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d.json

{
    "type": "bundle",
    "id": "bundle--81d34ebb-d5ee-48a2-ae11-59716c673405",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-03-30T21:01:37.568Z",
            "name": "Adversary-in-the-Middle",
            "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "credential-access"
                },
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "collection"
                }
            ],
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_contributors": [
                "Mayuresh Dani, Qualys",
                "Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project",
                "NEC"
            ],
            "x_mitre_deprecated": false,
            "x_mitre_detection": "Monitor network traffic for anomalies associated with known AiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.",
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Windows",
                "macOS",
                "Linux",
                "Network"
            ],
            "x_mitre_version": "2.2",
            "x_mitre_data_sources": [
                "Application Log: Application Log Content",
                "Network Traffic: Network Traffic Content",
                "Service: Service Creation",
                "Windows Registry: Windows Registry Key Modification",
                "Network Traffic: Network Traffic Flow"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d",
            "created": "2020-02-11T19:07:12.114Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1557",
                    "external_id": "T1557"
                },
                {
                    "source_name": "dns_changer_trojans",
                    "description": "Abendan, O. (2012, June 14). How DNS Changer Trojans Direct Users to Threats. Retrieved October 28, 2021.",
                    "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/125/how-dns-changer-trojans-direct-users-to-threats"
                },
                {
                    "source_name": "volexity_0day_sophos_FW",
                    "description": "Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022.",
                    "url": "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/"
                },
                {
                    "source_name": "taxonomy_downgrade_att_tls",
                    "description": "Alashwali, E. S., Rasmussen, K. (2019, January 26). What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS. Retrieved December 7, 2021.",
                    "url": "https://arxiv.org/abs/1809.05681"
                },
                {
                    "source_name": "ad_blocker_with_miner",
                    "description": "Kuzmenko, A.. (2021, March 10). Ad blocker with miner included. Retrieved October 28, 2021.",
                    "url": "https://securelist.com/ad-blocker-with-miner-included/101105/"
                },
                {
                    "source_name": "mitm_tls_downgrade_att",
                    "description": "praetorian Editorial Team. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved December 8, 2021.",
                    "url": "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/"
                },
                {
                    "source_name": "Rapid7 MiTM Basics",
                    "description": "Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March 2, 2020.",
                    "url": "https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/"
                },
                {
                    "source_name": "tlseminar_downgrade_att",
                    "description": "Team Cinnamon. (2017, February 3). Downgrade Attacks. Retrieved December 9, 2021.",
                    "url": "https://tlseminar.github.io/downgrade-attacks/"
                },
                {
                    "source_name": "ttint_rat",
                    "description": "Tu, L. Ma, Y. Ye, G. (2020, October 1). Ttint: An IoT Remote Access Trojan spread through 2 0-day vulnerabilities. Retrieved October 28, 2021.",
                    "url": "https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ]
        }
    ]
}