Adversary-in-the-Middle (T1557)

View on ATT&CK

In Playbook

Associated Tactics

  • Credential Access
  • Collection

Credential Access (TA0006)

The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

View on ATT&CK

Procedure Examples

Description Source(s)
Abendan, O. (2012, June 14). How DNS Changer Trojans Direct Users to Threats. Retrieved October 28, 2021. dns_changer_trojans
Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022. volexity_0day_sophos_FW
Alashwali, E. S., Rasmussen, K. (2019, January 26). What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS. Retrieved December 7, 2021. taxonomy_downgrade_att_tls
Kuzmenko, A.. (2021, March 10). Ad blocker with miner included. Retrieved October 28, 2021. ad_blocker_with_miner
Microsoft Incident Response. (2022, November 16). Token tactics: How to prevent, detect, and respond to cloud token theft. Retrieved December 26, 2023. Token tactics
praetorian Editorial Team. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved December 8, 2021. mitm_tls_downgrade_att
Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March 2, 2020. Rapid7 MiTM Basics
Team Cinnamon. (2017, February 3). Downgrade Attacks. Retrieved December 9, 2021. tlseminar_downgrade_att
Tu, L. Ma, Y. Ye, G. (2020, October 1). Ttint: An IoT Remote Access Trojan spread through 2 0-day vulnerabilities. Retrieved October 28, 2021. ttint_rat