Adversary in the Middle: DHCP Spoofing

Other sub-techniques of Adversary in the Middle (7)

ID	Name
ATAGS-T1111.001	Lower Orbit Satellites, or Drones
ATAGS-T1111.002	ARP Cache Poisoning
ATAGS-T1111.003	DHCP Spoofing
ATAGS-T1111.004	Evil Twin
ATAGS-T1111.005	LLMNR/NBT-NS Poisoning and SMB Relay
ATAGS-T1111.006	Unauthenticated gateway or unauthenticated interplanetary node
ATAGS-T1111.007	Satellite constellation

Threat Actors may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, Threat Actors may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.

ID: ATAGS-T1111.003

Sub-technique of: ATAGS-T1111

ⓘ

Tactic: Credential Access

ⓘ

Targeted Components: Mission, Personnel & Identity

ⓘ

Responsibility: Shared

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.