1. Home
  2. Techniques
  3. Enterprise
  4. Proxy
  5. Domain Fronting

Proxy: Domain Fronting

ID Name
T1090.001 Internal Proxy
T1090.002 External Proxy
T1090.003 Multi-hop Proxy
T1090.004 Domain Fronting

Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. [1] Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).

For example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.

ID: T1090.004
Sub-technique of:  T1090
Tactic: Command and Control
Platforms: ESXi, Linux, Windows, macOS
Contributors: Matt Kelly, @breakersall
Version: 1.2
Created: 14 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0016 APT29

APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.[2]
S0154 Cobalt Strike

Cobalt Strike has the ability to accept a value for HTTP Host Header to enable domain fronting.[3]
S0175 meek

meek uses Domain Fronting to disguise the destination of network traffic as another server that is hosted in the same Content Delivery Network (CDN) as the intended destination.
S0699 Mythic

Mythic supports domain fronting via custom request headers.[4]

S0649 SMOKEDHAM

SMOKEDHAM has used a fronted domain to obfuscate its hard-coded C2 server domain.[5]

Mitigations

ID Mitigation Description
M1020 SSL/TLS Inspection

If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0196 Domain Fronting Behavior via Mismatched TLS SNI and HTTP Host Headers AN0564

Suspicious outbound HTTPS connections where the TLS Server Name Indication (SNI) does not match the HTTP Host header, indicating potential use of domain fronting to mask C2 traffic via CDNs.
AN0565

Applications such as curl, wget, or custom binaries initiate HTTPS connections where the TLS SNI is mismatched or absent while HTTP Host targets CDN-available C2 endpoints.
AN0566

Unsigned or user-space apps initiate TLS connections with one hostname and HTTP headers requesting a different domain, commonly abused in CDN-resident domain fronting techniques.
AN0567

Traffic originating from ESXi hosts or management interfaces displays SNI-to-Host mismatch behavior, particularly anomalous given typical infrastructure communication patterns.

References

  1. David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. (2015). Blocking-resistant communication through domain fronting. Retrieved November 20, 2017.
  2. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
  3. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  1. Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022.
  2. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.