Hunting for Domain Fronting C2 Traffic

Overview

Domain fronting (MITRE ATT&CK T1090.004) is a technique where attackers use different domain names in the TLS SNI field and the HTTP Host header to disguise C2 traffic behind legitimate CDN-hosted domains. This skill detects domain fronting by parsing proxy/web gateway logs for SNI-Host header mismatches, analyzing TLS certificates for CDN provider identification, flagging connections where the SNI points to a high-reputation domain but the Host header targets an attacker-controlled domain, and correlating with known CDN provider IP ranges.

When to Use

• When investigating security incidents that require hunting for domain fronting c2 traffic
• When building detection rules or threat hunting queries for this domain
• When SOC analysts need structured procedures for this analysis type
• When validating security monitoring coverage for related attack techniques

Prerequisites

• Web proxy or secure web gateway logs with SNI and Host header fields
• Python 3.8+ with pyOpenSSL and cryptography libraries
• TLS inspection enabled on proxy for Host header visibility