Skip to content

DET0296 Detect Adversary-in-the-Middle via Network and Configuration Anomalies

Item Value
ID DET0296
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1557 (Adversary-in-the-Middle)

Analytics

Windows

AN0823

Detects suspicious DNS/ARP poisoning attempts, unauthorized modifications to registry/network configuration, or abnormal TLS downgrade activity. Correlates changes in system configuration with subsequent unusual network flows or authentication events.

Log Sources
Data Component Name Channel
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4663, 4670, 4656
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Mutable Elements
Field Description
MonitoredRegistryPaths Specific network stack and DNS registry keys that vary by enterprise configuration.
DowngradeCipherList List of weak/legacy ciphers tuned per environment for TLS downgrade detection.
TimeWindow Correlation period between config changes and abnormal network connections.

Linux

AN0824

Detects unauthorized edits to /etc/hosts, /etc/resolv.conf, or suspicious ARP broadcasts. Correlates file modifications with subsequent unexpected network sessions or service creation.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL open, write
Network Traffic Content (DC0085) NSM:Flow Unexpected ARP replies or DNS responses inconsistent with authoritative servers
Mutable Elements
Field Description
MonitoredFiles List of system files shaping traffic flow (hosts, resolv.conf, PAM modules).
ARPThreshold Rate/volume thresholds for ARP/DNS anomalies tuned per subnet.

macOS

AN0825

Detects unauthorized edits to system configuration profiles, unexpected certificate trust changes, or abnormal ARP/DNS patterns indicative of interception.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) macos:unifiedlog Configuration profile modified or new profile installed
Network Traffic Content (DC0085) NSM:Flow TLS downgrade or inconsistent DNS answers
Mutable Elements
Field Description
ProfileIdentifiers Known good vs suspicious configuration profiles per enterprise baseline.
TLSVersionThreshold Minimum TLS version accepted in network traffic inspection.

Network Devices

AN0826

Detects unauthorized firmware or configuration changes enabling adversary-in-the-middle positioning (e.g., route injection, DNS spoofing, SSL downgrade). Behavioral analytics focus on sudden changes to routing tables or image file integrity failures.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) NSM:Flow Unexpected route changes or duplicate gateway advertisements
File Modification (DC0061) networkdevice:config Configuration file modified or replaced on network device
Mutable Elements
Field Description
RoutingPolicyBaseline Expected routing and BGP/OSPF paths for validation.
FirmwareChecksum Baseline image checksum per device type used to detect tampering.