Adversary-in-the-Middle
Position between two parties to intercept / modify / capture traffic — LLMNR, NTLM relay, MITM proxies, mitm6.
§ Where this technique fits
T1557 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 4 on average.
Authoritative reference: attack.mitre.org/techniques/T1557/.
§ Dossiers chaining this technique
- step 4 / 5
5G core GTP-U user-plane injection → subscriber MITM
Attacker on a transit network between mobile-core hops (or with compromised UPF). GTP-U packets are typically unfiltered between PEs; inject packets into subscriber bearers — credential capture, free-of-charge tunnels, downstream attacks.
- step 4 / 5
BGP prefix hijack → traffic interception
From a compliant origin AS, announce a more-specific or origin-spoofed prefix belonging to the victim. Internet routing converges on the attacker AS; traffic for that prefix flows through attacker for inspection / DoS.
- step 4 / 6
Root detection + SSL pinning bypass → MITM the API
Rooted test device with Frida. Hook the app's root-detection and OkHttp CertificatePinner; route traffic through Burp to expose the entire authenticated API surface.
§ What commonly comes next
- 01API Endpoint Discoveryseen 1×W-RECON-API-DISCO · Reconnaissance
- 02Modify Authentication Processseen 1×T1556 · Credential Access
- 03Steal Web Session Cookieseen 1×T1539 · Credential Access