analyst security skill risk: medium
Domain Fronting C2 Traffic Detector
Detects domain fronting C2 traffic by parsing proxy logs for SNI-Host header mismatches, extracting TLS certificate details with pyOpenSSL, identifying CDN-hosted connections, and…
SKILL 4 files · 2 folders
SKILL.md
--- name: hunting-for-domain-fronting-c2-traffic description: "Detect domain fronting C2 traffic by analyzing SNI vs HTTP Host header mismatches in proxy logs and TLS certificate" --- # Hunting for Domain Fronting C2 Traffic ## Overview Domain fronting (MITRE ATT&CK T1090.004) is a technique where attackers use different domain names in the TLS SNI field and the HTTP Host header to disguise C2 traffic behind legitimate CDN-hosted domains. This skill detects domain fronting by parsing proxy/web gateway logs for SNI-Host header mismatches, analyzing TLS certificates for CDN provider identification, flagging connections where the SNI points to a high-reputation domain but the Host header targets an attacker-controlled domain, and correlating with known CDN provider IP ranges. ## When to Use - When investigating security incidents that require hunting for domain fronting c2 traffic - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Web proxy or secure web gateway logs with SNI and Host header fields - Python 3.8+ with pyOpenSSL and cryptography libraries - TLS inspection enabled on proxy for Host header visibility - CDN provider IP range lists (CloudFront, Azure CDN, Cloudflare) ## Steps 1. Parse proxy logs for connections with both SNI and Host header fields 2. Compare SNI domain against HTTP Host header for mismatches 3. Extract TLS certificate Subject and SAN fields using pyOpenSSL 4. Identify CDN-hosted connections via certificate issuer and IP ranges 5. Flag high-confidence domain fronting where SNI and Host differ on CDN IPs 6. Score alerts based on domain reputation differential 7. Generate detection report with network flow context ## Expected Output JSON report containing detected domain fronting indicators with SNI-Host pairs, certificate details, CDN provider identification, confidence scores, and MITRE ATT&CK technique mapping.
REQUIRED CONTEXT
- web proxy or secure web gateway logs with SNI and Host header fields
- TLS inspection enabled
- CDN provider IP range lists
TOOLS REQUIRED
- code_execution
EXPECTED OUTPUT
- Format
- json
- Schema
- json_report · detected domain fronting indicators, SNI-Host pairs, certificate details, CDN provider identification, confidence scores, MITRE ATT&CK technique mapping
- Constraints
- include SNI-Host pairs
- include certificate details
- include CDN provider identification
- include confidence scores
- include MITRE ATT&CK technique mapping
SUCCESS CRITERIA
- Detect domain fronting C2 traffic by analyzing SNI vs HTTP Host header mismatches
- Generate detection report with network flow context
CAVEATS
- Dependencies
- Web proxy or secure web gateway logs with SNI and Host header fields
- Python 3.8+ with pyOpenSSL and cryptography libraries
- TLS inspection enabled on proxy for Host header visibility
- CDN provider IP range lists (CloudFront, Azure CDN, Cloudflare)
- Missing context
- Exact log format or sample entries to parse
- Source or method for obtaining domain reputation data
- Ambiguities
- 'Score alerts based on domain reputation differential' does not specify the scoring method or thresholds.
QUALITY
- OVERALL
- 0.72
- CLARITY
- 0.85
- SPECIFICITY
- 0.70
- REUSABILITY
- 0.60
- COMPLETENESS
- 0.75
IMPROVEMENT SUGGESTIONS
- Add a concrete example of input log lines and the corresponding JSON output.
- Define the reputation differential scoring formula or thresholds explicitly.
USAGE
Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.
MORE FOR ANALYST
- CTI Analyst for Cybersecurity Project Revisionsanalystsecurity
- Malware Sandbox Evasion Techniques Analyzeranalystsecurity
- NetFlow Pandas Traffic Baselininganalystsecurity
- Data Staging Exfiltration Threat Hunteranalystsecurity
- NetFlow Security Anomaly Analyzeranalystsecurity
- PowerShell EVTX Script Block Analyzeranalystsecurity
- DNS-Based Persistence Hunting Proceduresanalystsecurity
- Heap Spray Exploitation Memory Dump Analyzeranalystsecurity
- PowerShell Empire Event Log Analyzeranalystsecurity
- Anomalous PowerShell Execution Hunting Guideanalystsecurity
- Zeek Conn.log Beaconing Pattern Detectoranalystsecurity
- API Gateway Access Log Attack Analyzeranalystsecurity
- Android APK Malware Static Analysisanalystsecurity
- Kubernetes Audit Log Security Analyzeranalystsecurity
- Cloud Storage Access Anomaly Detectoranalystsecurity
- Office 365 Audit Log Compromise Analyzeranalystsecurity
- Academic Research Brainstorm and Improvement Analyzeranalystresearch
- ML Missing Values Treatment Pipelineanalystanalysis
- Quantitative Sports Betting Edge Evaluatoranalystanalysis
- B2B Manufacturing Homepage Tech-SEO Diagnosticanalystanalysis
- OSINT US Surveillance Source Investigatoranalystresearch
- Curated Compendium of Cuckold BNWO Websitesanalystresearch
- US Indices Market News and Sentiment Reporteranalystfinance
- Technical Academic Paper Revieweranalystanalysis
- UX Landing Page Conversion Analyzeranalystanalysis