hunting-for-domain-fronting-c2-traffic

Installation
SKILL.md

Hunting for Domain Fronting C2 Traffic

Overview

Domain fronting (MITRE ATT&CK T1090.004) is a technique where attackers use different domain names in the TLS SNI field and the HTTP Host header to disguise C2 traffic behind legitimate CDN-hosted domains. This skill detects domain fronting by parsing proxy/web gateway logs for SNI-Host header mismatches, analyzing TLS certificates for CDN provider identification, flagging connections where the SNI points to a high-reputation domain but the Host header targets an attacker-controlled domain, and correlating with known CDN provider IP ranges.

When to Use

  • When investigating security incidents that require hunting for domain fronting c2 traffic
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

Installs
34
GitHub Stars
24.2K
First Seen
Mar 15, 2026
hunting-for-domain-fronting-c2-traffic — mukul975/anthropic-cybersecurity-skills