Suspicious outbound HTTPS connections where the TLS Server Name Indication (SNI) does not match the HTTP Host header, indicating potential use of domain fronting to mask C2 traffic via CDNs.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | NSM:Connections | TLS handshake + HTTP headers |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| SNIHostMismatch | Define acceptable mismatch ratio between SNI and HTTP Host fields based on legitimate domain usage patterns. |
| CDNAllowList | Whitelist of known safe CDN front-end domains (e.g., `cdn.company.com`). |
| ProcessInitiator | Filter for suspicious initiators of domain fronting, e.g., scripting engines, lolbins, unknown binaries. |
Applications such as curl, wget, or custom binaries initiate HTTPS connections where the TLS SNI is mismatched or absent while HTTP Host targets CDN-available C2 endpoints.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | NSM:Flow | ssl.log + http.log |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Field | Description |
|---|---|
| SNIFieldAbsent | Detect TLS sessions where SNI is empty—'domainless' fronting. |
| AllowedTools | Environmental tuning for known binaries using alternate SNI for testing (e.g., API tests). |
| ProcessContext | Enrich command-line arguments or parent-child lineage to detect abuse. |
Unsigned or user-space apps initiate TLS connections with one hostname and HTTP headers requesting a different domain, commonly abused in CDN-resident domain fronting techniques.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | macos:unifiedlog | network, socket, and http logs |
| Process Creation (DC0032) | macos:osquery | process_events |
| Field | Description |
|---|---|
| UnsignedBinary | Helps tune detection when unsigned apps initiate fronted sessions. |
| HostHeaderMatch | Threshold to flag inconsistent domain targeting in encrypted sessions. |
| SOCKSPortAnomaly | Alert on unusual ports used in HTTPS+SOCKS activity patterns. |
Traffic originating from ESXi hosts or management interfaces displays SNI-to-Host mismatch behavior, particularly anomalous given typical infrastructure communication patterns.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | NSM:Firewall | TLS/HTTP inspection |
| Process Creation (DC0032) | esxi:shell | /var/log/vmkernel.log, /var/log/vmkwarning.log |
| Field | Description |
|---|---|
| AdminPortAccess | ESXi hosts should rarely initiate external HTTPS—threshold to alert. |
| TLSHandshakeOutliers | Define entropy or timing anomalies for TLS handshake. |
| DomainMismatchThreshold | SNI/Host mismatch occurrence tolerance. |