Man-in-the-Middle (MITM): DNS Spoofing/Cache Poisoning

ID Name
VT0022.001 TLS Stripping
VT0022.002 DNS Hijacking
VT0022.003 DNS Spoofing/Cache Poisoning
VT0022.003 DNS Spoofing/Cache Poisoning
VT0022.004 HTTPS Spoofing
VT0022.005 SSL Hijacking

The adversary attempts to perform Man in the Middle (MITM) attack using DNS spoofing. DNS spoofing, also known as DNS cache poisoning, involves altering cached IP addresses of a DNS server to attacker-controlled ones. Cache is a hardware or software component that stores data, so that future requests for that data can be served faster. In DNS servers cache is used to store previously translated names.

In a DNS Spoofing attack, the adversary will attempt to make the DNS server save the attacker-controlled IP address to resolve to a non-attacker’s controlled domain. Until the cached IP is timed out, every DNS client that tries to resolve the affected domain will be "redirected" to the attacker-controlled site.(Citation:Uni42)

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Attachments

ID
VT0022.003
Sub-techniques
Tactics
Credential Access
Credential Access
Platforms
Cloud
Linux
MacOS
Unix-like
Windows

Created: 30 December 2020

Last Modified: 04 January 2021