SCYTHE Domain Fronting through Azure CDN
Guest blog post by one of our partners, Derek Johnson - Senior Cybersecurity Engineer at NTH

Domain Fronting is a MITRE ATT&CK technique (T1090.004) where the attacker takes advantage of the routing mechanism of Content Delivery Networks (CDNs) to bypass egress (outbound) controls and establish Command and Control (C2). Proxying C2 traffic through various hosts/domains is an ideal technique to not expose your SCYTHE (or any C2) server to the target organization directly. SCYTHE provides multiple redirectors/relays to proxy traffic (T1090) through domains and hosts that the target organization allows outbound. The Domain Fronting method allows the traffic to go from the target organization to a CDN that is rarely blocked. In this guest post by a SCYTHE Consulting Partner, we cover how to use the Microsoft Azure CDN to proxy C2 traffic from the target to your SCYTHE server.

Domain Fronting through Azure CDN

Using Azure CDN to hide C2 traffic is a great way to egress out of a network and obscure traffic. There are two major components within Azure CDN that makes this work.

  1. Endpoint name such as https://yourname.azureedge.net
  2. Origin Hostname https://yourdomainname.com.

When SCYTHE uses Azure CDN it will make its first DNS request to the Endpoint Hostname (<yourname>.azureedge.net) then traffic will be directed to the Origin Hostname (https://YourSCYTHEserverDomainName).

Pre-requisites

  1. The SCYTHE Server should be set up with both a SSL certificate and domain name.
  2. A public DNS A record, for your custom domain that points to your SCYTHE Server public IP address.
  3. An Azure Account.
  1. You can setup Azure account at https://portal.azure.com
  2. Warning: Microsoft may not like you using their CDN for C2

Azure CDN Setup

1. Use the top search bar to search for “CDN” and select CDN profiles.

2. Click the + Create Button to create a CDN profile

  1. Subscription: Select your Azure subscription.
  2. Resource group: Select an existing resource group or create a new one.
  3. Profile Details: Create a name.
  4. Pricing Tier: Select your desired pricing.
  5.   Endpoint Settings: Create the Endpoint Hostname and the Origin Hostname.
  6. CDN Endpoint Name: Select <yourcdnName>azureedge.net.
  7. Origin Type: Select Custom Origin.
  8. Origin Hostname: This is your SCYTHE server custom domain name.
  9. Click Review & Create.

Disable Caching on the Endpoint

  1. Go to your CDN profiles, select the CDN Endpoint that was created.
  2. Click Caching rules and change the query string caching behavior to "Bypass Caching for Query Strings"

Wait at least 20 minutes before using CDN

Test your new CDN

  1. Open a new browser window and paste the new CDN Endpoint Hostname into the address bar (ex: https://myname.azureedge.net). 
  1. If it is working properly you should get redirected to your Origin Hostname which is your SCYTHE server. If working properly you will see the myaccount.google.com

The exact flow is victim endpoint > https://yourcdn.azureedge.net (This is Endpoint Hostname) > https://yourscytheserverIP (this is Origin Hostname).

If working properly you should see myaccount.google.com

Setup SCYTHE Campaign to use new CDN

Update the --cp parameter to point at your new azure CDN address.

Verify SCYTHE Client is using CDN

Using Wireshark, we can see the initial DNS request go to <yourcdnname>.azureedge.net

Following the Wireshark TCP stream on Microsoft IP address we can see all traffic is flowing through CDN azureedge.net CDN

Detection & Response

Domain Fronting is one of the toughest techniques to detect and respond to due to the amount of traffic most organizations will have outbound to Content Delivery Networks (CDNs). A multitude of legitimate web sites and services leverage CDNs and therefore the detection of Command and Control (C2) through a CDN will generate a significant amount of events. As per MITRE ATT&CK, here are some options:

  • Inspect HTTPS traffic leaving your organization’s perimeter. This is also known as TLS decryption or inspection. 
  • If TLS inspection is in place, the HTTP Host field of the HTTP header can be checked and matched to the Server Name Indication (SNI) or against a deny/allow list of domain names. The caveat, in this case, is that we are using legitimate Microsoft Azure domain names.  

Conclusion

Proxying C2 traffic through various hosts/domains is ideal to not expose your SCYTHE server to the target organization directly. Leveraging domain fronting is one method of doing just that. This post covers how to leverage Azure’s Content Delivery Network (CDN) to bypass outbound controls at the target organization and how to set it up in your SCYTHE campaign. We also cover methods to detect and respond to domain fronting. SCYTHE wants to thank Derek Johnson from NTH Generation Computing for the core content of this guest post.

About The Author

Derek Johnson is a  Senior Cybersecurity Engineer at NTH Generation Computing. Derek specializes in providing penetration testing services, red teaming, and other ethical hacking services. Using Nth Generation’s exclusive cybersecurity lab and threat research, he focuses on strengthening security posture to defend against advanced virtual threats. Derek has designed and implemented cybersecurity solutions in a range of industries including education,  manufacturing, and insurance. He has developed the NTH Generations Endpoint security posture program written in GO. In addition, he has programmed custom Golang ransomware C2 and built a comprehensive ransomware readiness services offering to validate customer security controls around ransomware.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.