Adversary-in-the-Middle (T1557) is how attackers get between hosts to capture credentials and relay authentication. On internal networks the usual tools are Responder for LLMNR and NBT-NS poisoning, mitm6 for IPv6 DNS takeover, and classic ARP cache poisoning. None of these throw a malware signature. They abuse name resolution and Layer 2 mappings that are supposed to be trusted, so the durable signal is structural: one host suddenly claiming to be many others.
That structure is exactly what a few lines of pandas and scapy surface well. Here is how to hunt the three most common T1557 variants.
Where T1557 Shows Up
Zeek dns.log captures LLMNR (UDP 5355) and NBT-NS (UDP 137) name resolution, including who answered
A packet capture (or a SPAN/TAP feed) gives you ARP replies and DHCP offers that Zeek does not log by default
