Tactic: Credential Access (ATK-TA0006), Initial Access (ATK-TA0001)
Technique ID: SAFE-T1004
Severity: High
First Observed: Documented in DNS cache poisoning attacks (2008)
Last Updated: 2026-02-24
Server Impersonation / Name-Collision is an adversary-in-the-middle technique where attackers register or advertise a malicious server using the same name or identifier as a trusted one. By exploiting weaknesses in naming and discovery systems (for example DNS, mDNS, or local MCP server registries), clients can be redirected to attacker-controlled endpoints.
This technique is dangerous in MCP environments because trust decisions are often made before strong identity checks. If clients accept duplicated names, unsigned metadata, or weak certificates, an attacker can intercept authentication flows, alter tool responses, and capture sensitive data.
In this technique, ODR refers to host-local discovery or registry layers used by MCP host applications to store server metadata (name, endpoint, and trust attributes). On Windows, this concept aligns with the On-Device Agent Registry tooling (odr.exe) for MCP server registration and discovery. Implementations vary by platform and product; if your environment does not use ODR by name, apply the same controls to its equivalent local registry/discovery mechanism.
- Primary Vector: Malicious server registration with a trusted server's name or identifier
- Secondary Vectors:
- DNS cache poisoning or DNS hijacking
- Rogue DHCP infrastructure distributing attacker-controlled DNS settings
- Duplicate local registry entries for an existing trusted server
- TLS certificate misuse, weak validation, or certificate pinning gaps
- ARP spoofing on local networks
- Service redeployment windows where identity checks are temporarily bypassed
- Attacker network position (local segment, rogue upstream DNS, or other interception path)
- Weak discovery protections (no DNSSEC validation, permissive local registry behavior, or missing duplicate-name checks)
- Trust model that treats name as identity without robust certificate validation
- Ability to register or advertise a malicious endpoint with legitimate-appearing metadata
- Preparation: Attacker deploys a malicious endpoint that mimics a trusted MCP server name.
- Discovery Hijack: DNS/mDNS responses or local registry entries are poisoned or duplicated.
- Connection: Client resolves the trusted name to the attacker endpoint and initiates session setup.
- Impersonation: Attacker presents weak or mismatched identity material and intercepts traffic.
- Exploitation: Credentials, tokens, and sensitive data are harvested; malicious responses may be injected.
- Post-Exploitation: Attacker persists through registry poisoning and can pivot to additional systems.
{
"service_name": "analytics-hub.local",
"endpoint": "192.168.1.50",
"certificate_fingerprint": "untrusted-self-signed",
"source": "local-registry"
}According to public reporting and ATT&CK campaign tracking, attackers use multiple identity-hijack layers:
- DNS Cache Poisoning: False DNS responses direct clients to malicious infrastructure.
- Registrar Hijacking: Domain and DNS control are taken over to reroute traffic at scale (for example Sea Turtle / G1041).
- Hybrid Discovery Poisoning: DNS hijack combined with local network attacks (ARP/DHCP) to increase reliability and evade single-layer controls.
- Confidentiality: High - credentials and sensitive data can be intercepted.
- Integrity: High - malicious responses can alter workflow outputs and decisions.
- Availability: Medium - service resolution failures and trust breaks can interrupt operations.
- Scope: Network-wide - affects any client relying on poisoned discovery/identity signals.
Organizations are increasingly prioritizing stronger discovery and identity controls, but coverage remains uneven:
- DNSSEC adoption continues to expand, but not all enterprise resolvers and zones validate consistently.
- MCP roadmap work includes stronger server identity/discovery signals through
.well-knownmetadata endpoints. - Teams with mixed legacy protocols and inconsistent registry governance remain exposed to name-collision attacks.
- Sudden DNS resolution drift for trusted MCP server names
- Duplicate or conflicting server entries in local MCP registries
- ARP anomalies and MAC/IP mismatch events around MCP traffic
- TLS certificate mismatch or unexpected self-signed certificate acceptance
- Authentication failures and suspicious reconnect loops after resolution changes
Important: The following Sigma-style rule is an example. Organizations should tailor fields and event IDs to their telemetry pipeline and operating system logging configuration.
title: Detection of Server Impersonation / Name-Collision (SAFE-T1004)
id: 9f3c2a8e-7d4b-4c2f-9a1e-8e2b7f9c1d23
status: experimental
description: Detects indicators of server impersonation or name-collision attacks across DNS, ARP, TLS, and local registry events
author: Ryan Jennings
date: 2025-11-22
modified: 2026-02-24
references:
- https://github.com/SAFE-MCP/safe-mcp/tree/main/techniques/SAFE-T1004
- https://attack.mitre.org/techniques/T1557/
- https://attack.mitre.org/techniques/T1565/002/
logsource:
product: windows
service: system
detection:
selection_dns:
EventID: 1014
Provider_Name: "Microsoft-Windows-DNS-Client"
Message|contains:
- "timed out after none of the configured DNS servers responded"
- "DNSSEC validation failed"
selection_odr:
Provider_Name: "ODR"
Message|contains:
- "duplicate service registration"
- "name collision"
selection_arp:
Provider_Name: "Microsoft-Windows-TCPIP"
Message|contains:
- "duplicate ARP entry"
- "MAC address mismatch"
selection_tls:
EventID: 36882
Provider_Name: "Schannel"
Message|contains:
- "certificate mismatch"
- "self-signed certificate"
condition: selection_dns or selection_odr or selection_arp or selection_tls
falsepositives:
- Legitimate service redeployments that temporarily create duplicate registry entries
- Controlled test environments using self-signed certificates
- Planned DNS cutovers during maintenance windows
level: high
tags:
- attack.credential_access
- attack.t1557
- attack.t1557.002
- attack.t1565.002
- safe.t1004- New duplicate service names for trusted MCP endpoints
- Increased DNS cache refreshes and resolver warning events for previously stable names
- Clients connecting to unexpected IP ranges for known servers
- TLS handshake failures or fallback behavior after certificate mismatches
- Correlated ARP anomalies near authentication or token exchange failures
- SAFE-M-14: Server Allowlisting: Restrict MCP connections to explicit trusted domains/endpoints.
- SAFE-M-2: Cryptographic Integrity for Tool Descriptions: Sign and verify tool metadata to reduce tampering and spoofing risk.
- SAFE-M-6: Tool Registry Verification: Enforce trusted registry source controls and signature validation.
- SAFE-M-45: Tool Manifest Signing & Server Attestation: Validate server identity and manifest integrity before accepting tools.
- SAFE-M-29: Explicit Privilege Boundaries: Limit blast radius if a spoofed endpoint is accepted.
- SAFE-M-12: Audit Logging: Log registry changes, server identity decisions, and endpoint shifts.
- SAFE-M-20: Anomaly Detection: Detect unexpected discovery/connection behavior and resolution drift.
- SAFE-M-11: Behavioral Monitoring: Correlate unusual tool behavior with identity and routing anomalies.
- Immediate Actions:
- Block malicious or untrusted endpoint IPs/domains.
- Remove rogue local registry entries and disable affected server registrations.
- Flush poisoned DNS and ARP caches on impacted hosts.
- Investigation Steps:
- Reconstruct timeline of DNS/registry/certificate changes.
- Identify initial poisoning vector (DNS, ARP, DHCP, registry tampering).
- Scope impacted clients and exposed credentials/tokens.
- Remediation:
- Rotate exposed credentials, tokens, and certificates.
- Re-establish trusted server identity material and pinning policy.
- Add preventive and detective controls for duplicate-name and identity drift.
- SAFE-T1301: Cross-Server Tool Shadowing - exploits tool-name collisions in multi-server environments.
- SAFE-T1407: Server Proxy Masquerade - uses intermediary infrastructure to impersonate trusted paths.
- SAFE-T1005: Exposed Endpoint Exploit - broad endpoint exposure can enable impersonation opportunities.
- SAFE-T1704: Compromised-Server Pivot - impersonation can provide a foothold for lateral movement.
- Model Context Protocol Specification
- OWASP Top 10 for LLM Applications
- Sea Turtle - ATT&CK Group G1041
- Windows ODR Tool (odr.exe)
- Internet Society - DNSSEC Deployment Maps
- APNIC DNSSEC Validation World Map
- European Commission JRC Report on DNSSEC Adoption (2025)
- Model Context Protocol Roadmap
- T1557 - Adversary-in-the-Middle
- T1557.002 - Adversary-in-the-Middle: ARP Cache Poisoning
- T1565.002 - Data Manipulation: DNS Manipulation
- T1071.004 - Application Layer Protocol: DNS
| Version | Date | Changes | Author |
|---|---|---|---|
| 1.0 | 2025-11-22 | Initial documentation with ODR explanation | Ryan Jennings |
| 1.1 | 2026-02-24 | Replaced placeholder mitigations, corrected related-technique mapping, updated detection rule example, and added clearer ODR scope language | Bishnu Bista |
| 1.2 | 2026-02-24 | Corrected ATT&CK reference for Sea Turtle, aligned DNS EventID 1014 example wording, reduced over-specific ARP event assumptions, and added ODR/APNIC references for source clarity | Bishnu Bista |