MITRE ATT&CK Technique
Description
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics) For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials, including access tokens ([Steal Application Access Token](https://attack.mitre.org/techniques/T1528)) and session cookies ([Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)).(Citation: volexity_0day_sophos_FW)(Citation: Token tactics) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att) Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-11T19:07:12.114Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may attempt to position themselves between two or '
'more networked devices using an adversary-in-the-middle '
'(AiTM) technique to support follow-on behaviors such as '
'[Network '
'Sniffing](https://attack.mitre.org/techniques/T1040), '
'[Transmitted Data '
'Manipulation](https://attack.mitre.org/techniques/T1565/002), '
'or replay attacks ([Exploitation for Credential '
'Access](https://attack.mitre.org/techniques/T1212)). By '
'abusing features of common networking protocols that can '
'determine the flow of network traffic (e.g. ARP, DNS, LLMNR, '
'etc.), adversaries may force a device to communicate through '
'an adversary controlled system so they can collect '
'information or perform additional actions.(Citation: Rapid7 '
'MiTM Basics)\n'
'\n'
'For example, adversaries may manipulate victim DNS settings '
'to enable other malicious activities such as '
'preventing/redirecting users from accessing legitimate sites '
'and/or pushing additional malware.(Citation: '
'ttint_rat)(Citation: dns_changer_trojans)(Citation: '
'ad_blocker_with_miner) Adversaries may also manipulate DNS '
'and leverage their position in order to intercept user '
'credentials, including access tokens ([Steal Application '
'Access Token](https://attack.mitre.org/techniques/T1528)) and '
'session cookies ([Steal Web Session '
'Cookie](https://attack.mitre.org/techniques/T1539)).(Citation: '
'volexity_0day_sophos_FW)(Citation: Token tactics) [Downgrade '
'Attack](https://attack.mitre.org/techniques/T1562/010)s can '
'also be used to establish an AiTM position, such as by '
'negotiating a less secure, deprecated, or weaker version of '
'communication protocol (SSL/TLS) or encryption '
'algorithm.(Citation: mitm_tls_downgrade_att)(Citation: '
'taxonomy_downgrade_att_tls)(Citation: '
'tlseminar_downgrade_att)\n'
'\n'
'Adversaries may also leverage the AiTM position to attempt to '
'monitor and/or modify traffic, such as in [Transmitted Data '
'Manipulation](https://attack.mitre.org/techniques/T1565/002). '
'Adversaries can setup a position similar to AiTM to prevent '
'traffic from flowing to the appropriate destination, '
'potentially to [Impair '
'Defenses](https://attack.mitre.org/techniques/T1562) and/or '
'in support of a [Network Denial of '
'Service](https://attack.mitre.org/techniques/T1498).',
'external_references': [{'external_id': 'T1557',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1557'},
{'description': 'Abendan, O. (2012, June 14). How DNS '
'Changer Trojans Direct Users to '
'Threats. Retrieved October 28, 2021.',
'source_name': 'dns_changer_trojans',
'url': 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/125/how-dns-changer-trojans-direct-users-to-threats'},
{'description': 'Adair, S., Lancaster, T., Volexity '
'Threat Research. (2022, June 15). '
'DriftingCloud: Zero-Day Sophos '
'Firewall Exploitation and an '
'Insidious Breach. Retrieved July 1, '
'2022.',
'source_name': 'volexity_0day_sophos_FW',
'url': 'https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/'},
{'description': 'Alashwali, E. S., Rasmussen, K. '
"(2019, January 26). What's in a "
'Downgrade? A Taxonomy of Downgrade '
'Attacks in the TLS Protocol and '
'Application Protocols Using TLS. '
'Retrieved December 7, 2021.',
'source_name': 'taxonomy_downgrade_att_tls',
'url': 'https://arxiv.org/abs/1809.05681'},
{'description': 'Kuzmenko, A.. (2021, March 10). Ad '
'blocker with miner included. '
'Retrieved October 28, 2021.',
'source_name': 'ad_blocker_with_miner',
'url': 'https://securelist.com/ad-blocker-with-miner-included/101105/'},
{'description': 'Microsoft Incident Response. (2022, '
'November 16). Token tactics: How to '
'prevent, detect, and respond to '
'cloud token theft. Retrieved '
'December 26, 2023.',
'source_name': 'Token tactics',
'url': 'https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/'},
{'description': 'praetorian Editorial Team. (2014, '
'August 19). Man-in-the-Middle TLS '
'Protocol Downgrade Attack. Retrieved '
'December 8, 2021.',
'source_name': 'mitm_tls_downgrade_att',
'url': 'https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/'},
{'description': 'Rapid7. (n.d.). Man-in-the-Middle '
'(MITM) Attacks. Retrieved March 2, '
'2020.',
'source_name': 'Rapid7 MiTM Basics',
'url': 'https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/'},
{'description': 'Team Cinnamon. (2017, February 3). '
'Downgrade Attacks. Retrieved '
'December 9, 2021.',
'source_name': 'tlseminar_downgrade_att',
'url': 'https://tlseminar.github.io/downgrade-attacks/'},
{'description': 'Tu, L. Ma, Y. Ye, G. (2020, October '
'1). Ttint: An IoT Remote Access '
'Trojan spread through 2 0-day '
'vulnerabilities. Retrieved October '
'28, 2021.',
'source_name': 'ttint_rat',
'url': 'https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/'}],
'id': 'attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'collection'}],
'modified': '2025-10-24T17:48:20.163Z',
'name': 'Adversary-in-the-Middle',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Mayuresh Dani, Qualys',
'Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat '
'Coverage project',
'NEC'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Network Devices', 'Windows'],
'x_mitre_version': '2.5'}