CR-TLS-DOWNGRADECredential Access

TLS Downgrade (POODLE / FREAK / LOGJAM)

Force the connection down to SSLv3 / EXPORT_RSA / DHE-512 — break crypto in real time, recover session keys.

§ Where this technique fits

CR-TLS-DOWNGRADE is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

Compromised root CA → arbitrary cert issuance → silent MITM
Compromise the private key (or signing process) of a publicly-trusted root or intermediate. Issue an unlogged cert for the target hostname; use it for invisible TLS MITM until CT-log monitoring or revocation catches up.
step 4 / 6

§ What commonly comes next

01
Steal Web Session Cookie
T1539 · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Compromised root CA → arbitrary cert issuance → silent MITM

§ What commonly comes next