What starting position does this attack require?

The first step is Capture credentials / session data (T1539) — a credential access primitive. Assumed environment: target uses a CA that has had key-material compromise (real history: DigiNotar, Comodo, Symantec).

What is the final impact of this kill-chain?

The final step lands on Issue cert for victim host (PKI-COMPELLED), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

Compromised root CA → arbitrary cert issuance → silent MITM

Compromise the private key (or signing process) of a publicly-trusted root or intermediate. Issue an unlogged cert for the target hostname; use it for invisible TLS MITM until CT-log monitoring or revocation catches up.

Filed by AD Knowledge BasePublished 2026-05-27

§ Kill-chainDrag · zoom · scroll

Credential Access

Capture credentials / session data

T1539 · Steal Web Session Cookie

Credential Access

Intercept TLS, no browser warning

CR-TLS-DOWNGRADE · TLS Downgrade (POODLE / FREAK / LOGJAM)

Lateral Movement

Position for TLS MITM (BGP / DNS / Wi-Fi)

NET-BGP-HIJACK · BGP Route Hijack

Credential Access

Compromise CA signing capability

PKI-ROGUE-CA · Rogue / Compromised Root CA

Reconnaissance

Eventually surfaces in CT logs

PKI-CT-MONITOR · Certificate Transparency Monitoring

Credential Access

Issue cert for victim host

PKI-COMPELLED · Compelled / Government CA Misissuance

§ Context

Assumed environment: target uses a CA that has had key-material compromise (real history: DigiNotar, Comodo, Symantec). Attacker is in a position to MITM TLS traffic to the target — close to victim or upstream.

§ Steps

01
Capture credentials / session dataCredential Access
T1539— Steal Web Session Cookie
02
Intercept TLS, no browser warningCredential Access
CR-TLS-DOWNGRADE— TLS Downgrade (POODLE / FREAK / LOGJAM)
03
Position for TLS MITM (BGP / DNS / Wi-Fi)Lateral Movement
NET-BGP-HIJACK— BGP Route Hijack
04
Compromise CA signing capabilityCredential Access
PKI-ROGUE-CA— Rogue / Compromised Root CA
05
Eventually surfaces in CT logsReconnaissance
PKI-CT-MONITOR— Certificate Transparency Monitoring
06
Issue cert for victim hostCredential Access
PKI-COMPELLED— Compelled / Government CA Misissuance

§ References

T1539Steal Web Session Cookie

§ Frequently asked

What is the "Compromised root CA → arbitrary cert issuance → silent MITM" attack path?: Compromise the private key (or signing process) of a publicly-trusted root or intermediate. Issue an unlogged cert for the target hostname; use it for invisible TLS MITM until CT-log monitoring or revocation catches up. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Capture credentials / session data (T1539) — a credential access primitive. Assumed environment: target uses a CA that has had key-material compromise (real history: DigiNotar, Comodo, Symantec).
What is the final impact of this kill-chain?: The final step lands on Issue cert for victim host (PKI-COMPELLED), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.