Man-in-the-Middle (MITM)

A man in the middle (MITM) attack is a general term for when adversaries position themselves between a user and an application or a device for the purpose of eavesdropping or impersonation of legitimate communication.

Adversaries may attempt to use MITM technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By abusing features of common networking protocols that can determine the flow of network traffic, adversaries may force a device to communicate through an adversary-controlled system so they can collect information or perform additional actions.[1]

Adversaries may leverage the MiTM position to attempt to modify traffic, such as in Transmitted Data Manipulation. Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.[2]

Successful MITM execution consists of two phases: interception and decryption.

In the interception phase, the adversary will intercept user traffic through an attacker-controlled network before it reaches its intended destination. A common interception technique will be setting an attacker-controlled WiFi open to the public luring user to connect to it and passing on sensitive information that is fully visible to the adversary. Other known techniques are IP spoofing, ARP spoofing, and DNS spoofing.

After interception, the adversary will try to decrypt any secure communication passing between the client and the server. Any two-way SSL traffic will need to be decrypted without alerting the user or application and can be done through various methods, such as HTTPS spoofing, SSL hijacking, SSL stripping, or SSL BEAST.[3]

Other ways to execute a successful MITM attack will target the trust mechanism, using various ways:

  • The adversary managed to steal the server private key and is able to appear as the legitimate server.
  • The client trusts a rouge CA.
  • The client trusts a legitimate CA, the root key of which was compromised. Using the trusted CA key, the adversary can generate a certificate masquerading as the server, and the user will trust it.
  • The client doesn't validate certificates correctly against its list of trusted and authorized CA's.
  • The client was compromised and a rouge CA has been injected into the trusted root store, enabling the attacker to generate any cert, and the client will trust it.
  • The adversary is using a carefully crafted handshake that can force the use of weak keying material in OpenSSL SSL/TLS clients and servers.[4]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Monitor network traffic for anomalies associated with known MiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.



Credential Access
Permissions Required
Data Sources
File monitoring
Netflow/Enclave netflow
Packet capture

Created: 29 December 2020

Last Modified: 03 January 2021