Skip to content

DET0623 Detection of Adversary-in-the-Middle

Item Value
ID DET0623
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1638 (Adversary-in-the-Middle)

Analytics

Android

AN1687

Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. On both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) Network Traffic None
Protected Configuration (DC0115) Application Vetting None
Permissions Request (DC0116) User Interface None
Mutable Elements
Field Description

iOS

AN1688

Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. On both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) Network Traffic None
Protected Configuration (DC0115) Application Vetting None
Permissions Request (DC0116) User Interface None
Mutable Elements
Field Description