General

Detection Evasion

Domain Fronting

Is using a CDN to make your command and control server traffic look legitimate. So for example, the defender sees example.com instead of maliciouscnc.examplecdn.com.

These are the steps for HTTPS traffic:

  1. Client performs DNS lookup of server (www.example.com)

  2. Client initiates a connection to the IP address from the DNS lookup on TCP port 443

  3. The server presents a server certificate to begin the TLS tunnel setup

  4. The server presents a certificate for www.example.com

  5. The client completes TLS negotiation and submits the first HTTP request. He defines the host address as maliciouscnc.examplecdn.com.

  6. The server reads the request and will make decisions to present different content based on the value of the host header. It will present the content of maliciouscnc.examplecdn.com.

Last updated