W-SUBDOMAIN-TAKEOVERInitial Access

Subdomain Takeover

Dangling CNAME pointing to an unclaimed cloud resource (S3, Azure, Heroku) — claim it and serve attacker content under the trusted host.

§ Where this technique fits

W-SUBDOMAIN-TAKEOVER is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

Subdomain takeover → ACME DNS-01 → trusted cert for victim host
Find a dangling CNAME / NS record. Claim the underlying resource; complete Let's Encrypt's DNS-01 challenge for the parent hostname. Now have a publicly-trusted cert for victim.example.com — chain into AITM.
step 2 / 6
Subdomain takeover → cookie theft → account takeover
Dangling CNAME on a corporate subdomain (e.g. mail.target.com → unclaimed Heroku app). Claim it, serve a malicious page, harvest session cookies scoped to *.target.com.
step 2 / 7

§ What commonly comes next

01
ACME DNS-01 Validation Hijack
PKI-ACME-DNS01 · Initial Access
seen 1×
02
Open Redirect
W-OPEN-REDIRECT · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Subdomain takeover → ACME DNS-01 → trusted cert for victim host

Subdomain takeover → cookie theft → account takeover

§ What commonly comes next