Domain Fronting is a MITRE ATT&CK technique (T1090.004) where the attacker takes advantage of the routing mechanism of Content Delivery Networks (CDNs) to bypass egress (outbound) controls and establish Command and Control (C2). Proxying C2 traffic through various hosts/domains is an ideal technique to not expose your SCYTHE (or any C2) server to the target organization directly. SCYTHE provides multiple redirectors/relays to proxy traffic (T1090) through domains and hosts that the target organization allows outbound. The Domain Fronting method allows the traffic to go from the target organization to a CDN that is rarely blocked. In this guest post by a SCYTHE Consulting Partner, we cover how to use the Microsoft Azure CDN to proxy C2 traffic from the target to your SCYTHE server.
Using Azure CDN to hide C2 traffic is a great way to egress out of a network and obscure traffic. There are two major components within Azure CDN that makes this work.
When SCYTHE uses Azure CDN it will make its first DNS request to the Endpoint Hostname (<yourname>.azureedge.net) then traffic will be directed to the Origin Hostname (https://YourSCYTHEserverDomainName).
1. Use the top search bar to search for “CDN” and select CDN profiles.
2. Click the + Create Button to create a CDN profile
Wait at least 20 minutes before using CDN
The exact flow is victim endpoint > https://yourcdn.azureedge.net (This is Endpoint Hostname) > https://yourscytheserverIP (this is Origin Hostname).
If working properly you should see myaccount.google.com
Update the --cp parameter to point at your new azure CDN address.
Using Wireshark, we can see the initial DNS request go to <yourcdnname>.azureedge.net
Following the Wireshark TCP stream on Microsoft IP address we can see all traffic is flowing through CDN azureedge.net CDN
Domain Fronting is one of the toughest techniques to detect and respond to due to the amount of traffic most organizations will have outbound to Content Delivery Networks (CDNs). A multitude of legitimate web sites and services leverage CDNs and therefore the detection of Command and Control (C2) through a CDN will generate a significant amount of events. As per MITRE ATT&CK, here are some options:
Proxying C2 traffic through various hosts/domains is ideal to not expose your SCYTHE server to the target organization directly. Leveraging domain fronting is one method of doing just that. This post covers how to leverage Azure’s Content Delivery Network (CDN) to bypass outbound controls at the target organization and how to set it up in your SCYTHE campaign. We also cover methods to detect and respond to domain fronting. SCYTHE wants to thank Derek Johnson from NTH Generation Computing for the core content of this guest post.
Derek Johnson is a Senior Cybersecurity Engineer at NTH Generation Computing. Derek specializes in providing penetration testing services, red teaming, and other ethical hacking services. Using Nth Generation’s exclusive cybersecurity lab and threat research, he focuses on strengthening security posture to defend against advanced virtual threats. Derek has designed and implemented cybersecurity solutions in a range of industries including education, manufacturing, and insurance. He has developed the NTH Generations Endpoint security posture program written in GO. In addition, he has programmed custom Golang ransomware C2 and built a comprehensive ransomware readiness services offering to validate customer security controls around ransomware.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.