Esc

Domain Fronting - T1090.004

(ATT&CK® Technique)

Definition

Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1090004["Domain Fronting"] --> |produces| OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"]; class T1090004 OffensiveTechniqueNode;
        class OutboundInternetEncryptedWebTraffic ArtifactNode; click OutboundInternetEncryptedWebTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedWebTraffic";
        click T1090004 href "/offensive-technique/attack/T1090.004/"; click OutboundInternetEncryptedWebTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedWebTraffic";             Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1090004["Domain Fronting"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1090004["Domain Fronting"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          RelayPatternAnalysis["Relay Pattern Analysis"] -.->
            | may-detect | T1090004["Domain Fronting"] ;
          class RelayPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1090004["Domain Fronting"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection";       ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1090004["Domain Fronting"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection";                                                      PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1090004["Domain Fronting"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis";  NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1090004["Domain Fronting"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis";                    UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1090004["Domain Fronting"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
          | filters | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
            | may-isolate | T1090004["Domain Fronting"] ;
          class OutboundTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";                                NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1090004["Domain Fronting"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";

json