Description
Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).
For example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.
Platforms
Mitigations (1)
SSL/TLS InspectionM1020
If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used the meek domain fronting plugin for [Tor](https://attack.mitre.org/software/S0183) to hide the... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) has the ability to accept a value for HTTP Host Header to enable domain fronting.(Citation: C... |
| S0175 | meek | Tool | [meek](https://attack.mitre.org/software/S0175) uses Domain Fronting to disguise the destination of network traffic as another server that is hosted i... |
| S0699 | Mythic | Tool | [Mythic](https://attack.mitre.org/software/S0699) supports domain fronting via custom request headers.(Citation: Mythc Documentation) |
| S0649 | SMOKEDHAM | Malware | [SMOKEDHAM](https://attack.mitre.org/software/S0649) has used a fronted domain to obfuscate its hard-coded C2 server domain.(Citation: FireEye SMOKEDH... |
References
Frequently Asked Questions
What is T1090.004 (Domain Fronting)?
T1090.004 is a MITRE ATT&CK technique named 'Domain Fronting'. It belongs to the Command and Control tactic(s). Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic t...
How can T1090.004 be detected?
Detection of T1090.004 (Domain Fronting) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1090.004?
There are 1 documented mitigations for T1090.004. Key mitigations include: SSL/TLS Inspection.
Which threat groups use T1090.004?
Known threat groups using T1090.004 include: APT29.