PKI-ACME-DNS01Initial Access

ACME DNS-01 Validation Hijack

Hijack the target's DNS (subdomain takeover / dangling CNAME / registrar compromise) and answer Let's Encrypt's TXT challenge — get a valid cert for that host.

§ Where this technique fits

PKI-ACME-DNS01 is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

Subdomain takeover → ACME DNS-01 → trusted cert for victim host
Find a dangling CNAME / NS record. Claim the underlying resource; complete Let's Encrypt's DNS-01 challenge for the parent hostname. Now have a publicly-trusted cert for victim.example.com — chain into AITM.
step 3 / 6

§ What commonly comes next

01
Modify Authentication Process
T1556 · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Subdomain takeover → ACME DNS-01 → trusted cert for victim host

§ What commonly comes next