INTRO

At a high level, domain fronting can be used to transmit command and control traffic to the intended origin that’s being blocked by egress filters. It is also used as a technique to mask C2 traffic. MITRE has a great definition as well under tactic T1172. Domain fronting is not new but it is used as of the writing of this blog post. The domain name of the attacker controlled endpoint is only communicated after the establishment of an encrypted HTTPS connection. Adversaries swap their host header for the CDN to route what appears to be trusted website traffic to their command and control server instead. Domain fronting continues to be a valid method for bypassing network restrictions, hiding from defenders, and protecting your infrastructure.

Front a network perspective, victim host goes out to a "known-good" source (CDN) which limits the ability for organizations to block or identify this C2 traffic.

FREE STUFF

Azure gives you a free 30 days (as of the date of this post) to play around with so be sure to check it out!

AZURE - CONFIGURE CDN Profile and Endpoint

(BTW: You can replace this portion with AWS or Google.. if they allow it).

There are a lot of excellent blog posts on this already (Be sure to check these out):

Empire - Domain Fronting &  Metasploit - Domain Fronting

I will keep mine short and  to the point for ease of read. Once you get your free Azure account, follow the steps below:

1) Click on Home (Left panel)

2) Select "Create  a Resource"

3) Under "Web" click on "CDN". There is excellent Microsoft documentation about Azure CDNs on this page.

4) Fill out the CDN profile information. This post explains what the values mean. If you come across the error message about "Microsoft.CDN  being a registered Resource" be sure to check this link out.

5) Add an endpoint to your CDN. This is the good part!

  • CDN Endpoint Name: This is what is going to be in your Host header of the HTTP request, and what will ultimately point to your C2 infrastructure. This name should not draw attention to itself. Keep it cool.
  • Origin Hostname: This is your IP address or DNS name for you C2 infrastructure. The CDN will receive the traffic from the CDN Endpoint and send it over to this value (your C2 infra).

6) Find Domain Frontable Domains from Azure. You can use @r3vsh3ll project FindFrontableDomains for this. I recommend you run the script and pick one out that makes sense. Don't pick one with crazy subdomains or else crap like this will draw some attention to your actions.

7) Test your CDN! Simply using curl:

curl -k --header "Host: WHATEVER-CDN_ENDPOINT_NAME.azureedge.net" "https://frontable-domain.com"
Hmmmmmmmmmm!

Of note: The cool thing about this tactic is that the traffic is literally proxied through the CDN before it hits your C2. Your C2 is never actually exposed through traffic. To make your configuration even more secure, be sure to check this out. I highly recommend it. What may appear suspicious is the certain "host" headers in the HTTP request. A way to handle this is obviously wrapping it in SSL/TLS. Be sure to check out Mudges blog post on customer proxies that could get in the way. For that awesome blog post -> click me!

COVENANT - C2 Framework

(BTW: You can replace this portion with another C2 framework of your choice like Empire or Cobalt Strike).

1) You can follow the installation steps from the creators', @Cobbr, github. I personally like Option 2.

2) I wrote a little script to automate option 2 for the lazy people like me. You can find that script in my github. Just be sure you installed docker-ce prior to running it.

For this blog post, I didn't configure SSL. Below is an example of how the HTTP listener should look like:

Listener Configuration

I used the "ConnectAddress" as my CDN Endpoint and it will route to my C2 node. Capturing the traffic, you will notice the entire connection never gets to your C2 node. Wrap the traffic in SSL (not shown here), and you are in business.

3) Get your launcher to the victim. For the demo,I simply hosted the vanilla PowerShell launcher and used the default launcher "one-liner" to get my call back. Please realize this is extremely loud and will get picked up by AV. (Yes, even windows defender). Below is the command ran on the victim machine:

Example: Command on Victim Node

4)  Interact with your new grunt! Since it is outside the scope of this post, you can find some documentation on what to do next here. Disregard the fact that I switched to a binary :) (testing other things).

CONCLUSION

This was a very basic post to give readers an exposure (and some awesome external links) to learning what Domain Fronting is and how to use it.

Thanks for reading this far! I will update this with greater detail in the future.