BGP Route Hijack
Announce a more-specific or origin-spoofed prefix from a compliant AS — global traffic for that prefix routes through attacker for inspection / drop.
§ Where this technique fits
NET-BGP-HIJACK is catalogued under the Lateral Movement tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 2.5 on average.
§ Dossiers chaining this technique
- step 2 / 5
BGP prefix hijack → traffic interception
From a compliant origin AS, announce a more-specific or origin-spoofed prefix belonging to the victim. Internet routing converges on the attacker AS; traffic for that prefix flows through attacker for inspection / DoS.
- step 3 / 6
Compromised root CA → arbitrary cert issuance → silent MITM
Compromise the private key (or signing process) of a publicly-trusted root or intermediate. Issue an unlogged cert for the target hostname; use it for invisible TLS MITM until CT-log monitoring or revocation catches up.
§ What commonly comes next
- 01Network Sniffingseen 1×T1040 · Credential Access
- 02TLS Downgrade (POODLE / FREAK / LOGJAM)seen 1×CR-TLS-DOWNGRADE · Credential Access