Subdomain takeover → ACME DNS-01 → trusted cert for victim host
Find a dangling CNAME / NS record. Claim the underlying resource; complete Let's Encrypt's DNS-01 challenge for the parent hostname. Now have a publicly-trusted cert for victim.example.com — chain into AITM.
§ Context
Assumed environment: target has at least one DNS record pointing at an unclaimed cloud resource or expired vendor. Attacker can register the underlying resource to gain DNS control of that name.
§ Steps
- 01Claim underlying cloud resourceInitial AccessW-SUBDOMAIN-TAKEOVER— Subdomain Takeover
- 02Steal session cookies for *.victim.comCredential AccessT1539— Steal Web Session Cookie
- 03AITM phishing with valid certInitial AccessPH-AITM-EVILGINX— AITM Phishing — Evilginx / Modlishka
- 04Receive valid TLS cert for victim hostCredential AccessT1556— Modify Authentication Process
- 05Find dangling CNAME / NSInitial AccessDNS-DANGLING-CNAME— Dangling CNAME (host takeover)
- 06Answer Let's Encrypt DNS-01 challengeInitial AccessPKI-ACME-DNS01— ACME DNS-01 Validation Hijack
§ References
§ Frequently asked
- What is the "Subdomain takeover → ACME DNS-01 → trusted cert for victim host" attack path?
- Find a dangling CNAME / NS record. Claim the underlying resource; complete Let's Encrypt's DNS-01 challenge for the parent hostname. Now have a publicly-trusted cert for victim.example.com — chain into AITM. It chains 6 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Claim underlying cloud resource (W-SUBDOMAIN-TAKEOVER) — a initial access primitive. Assumed environment: target has at least one DNS record pointing at an unclaimed cloud resource or expired vendor.
- What is the final impact of this kill-chain?
- The final step lands on Answer Let's Encrypt DNS-01 challenge (PKI-ACME-DNS01), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques2
FIDO2 caBLE hybrid → phone authenticator hijack
Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.
- Shared techniques2
Compromised CFO mailbox → invoice fraud → wire fraud
AITM phishing nets the CFO's M365 session. Attacker sets a mail rule to hide replies, edits a pending invoice's wire details, sends the modified PDF to AP from the legit mailbox.
- Shared techniques2
AITM phishing (Evilginx) → M365 session theft → mailbox exfil
Reverse-proxy phishing kit intercepts the entire login flow including MFA. Stolen session cookie → access M365 mailbox / SharePoint without retriggering auth.
- Shared techniques2
Browser-in-the-Browser → credential theft on a trusted page
Render a fake SSO popup inside the attacker page that looks like a real OS browser window. Victim types their credentials into the attacker's DOM.
- Shared techniques2
Subdomain takeover → cookie theft → account takeover
Dangling CNAME on a corporate subdomain (e.g. mail.target.com → unclaimed Heroku app). Claim it, serve a malicious page, harvest session cookies scoped to *.target.com.