{ "type": "bundle", "id": "bundle--81d34ebb-d5ee-48a2-ae11-59716c673405", "spec_version": "2.0", "objects": [ { "modified": "2023-03-30T21:01:37.568Z", "name": "Adversary-in-the-Middle", "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_contributors": [ "Mayuresh Dani, Qualys", "Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project", "NEC" ], "x_mitre_deprecated": false, "x_mitre_detection": "Monitor network traffic for anomalies associated with known AiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Windows", "macOS", "Linux", "Network" ], "x_mitre_version": "2.2", "x_mitre_data_sources": [ "Application Log: Application Log Content", "Network Traffic: Network Traffic Content", "Service: Service Creation", "Windows Registry: Windows Registry Key Modification", "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", "created": "2020-02-11T19:07:12.114Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1557", "external_id": "T1557" }, { "source_name": "dns_changer_trojans", "description": "Abendan, O. (2012, June 14). How DNS Changer Trojans Direct Users to Threats. Retrieved October 28, 2021.", "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/125/how-dns-changer-trojans-direct-users-to-threats" }, { "source_name": "volexity_0day_sophos_FW", "description": "Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022.", "url": "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/" }, { "source_name": "taxonomy_downgrade_att_tls", "description": "Alashwali, E. S., Rasmussen, K. (2019, January 26). What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS. Retrieved December 7, 2021.", "url": "https://arxiv.org/abs/1809.05681" }, { "source_name": "ad_blocker_with_miner", "description": "Kuzmenko, A.. (2021, March 10). Ad blocker with miner included. Retrieved October 28, 2021.", "url": "https://securelist.com/ad-blocker-with-miner-included/101105/" }, { "source_name": "mitm_tls_downgrade_att", "description": "praetorian Editorial Team. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved December 8, 2021.", "url": "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/" }, { "source_name": "Rapid7 MiTM Basics", "description": "Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March 2, 2020.", "url": "https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/" }, { "source_name": "tlseminar_downgrade_att", "description": "Team Cinnamon. (2017, February 3). Downgrade Attacks. Retrieved December 9, 2021.", "url": "https://tlseminar.github.io/downgrade-attacks/" }, { "source_name": "ttint_rat", "description": "Tu, L. Ma, Y. Ye, G. (2020, October 1). Ttint: An IoT Remote Access Trojan spread through 2 0-day vulnerabilities. Retrieved October 28, 2021.", "url": "https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] } ] }