PKI-ROGUE-CACredential Access

Rogue / Compromised Root CA

Trusted root CA private key leak / compelled-signing — issue arbitrary leaf certificates, MITM any TLS without warnings.

§ Where this technique fits

PKI-ROGUE-CA is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 1 on average.

§ Dossiers chaining this technique

Compromised root CA → arbitrary cert issuance → silent MITM
Compromise the private key (or signing process) of a publicly-trusted root or intermediate. Issue an unlogged cert for the target hostname; use it for invisible TLS MITM until CT-log monitoring or revocation catches up.
step 1 / 6

§ What commonly comes next

01
Compelled / Government CA Misissuance
PKI-COMPELLED · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Compromised root CA → arbitrary cert issuance → silent MITM

§ What commonly comes next