T1090.004

Domain Fronting

Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation, 'domainless' fronting, utilizes a blank SNI field. Real-world actors including APT29 and tools like Cobalt Strike, Mythic, and SMOKEDHAM have leveraged domain fronting to hide C2 traffic behind legitimate CDN infrastructure.

Microsoft Sentinel / Defender

kusto

// Domain Fronting Detection — SNI/Host Header Mismatch and Behavioral Indicators
// Requires network proxy or TLS inspection logs forwarded to Sentinel
// Primary: Look for mismatches between TLS SNI and HTTP Host header in proxy/firewall logs
let KnownCDNDomains = dynamic([
  "azureedge.net", "cloudfront.net", "akamaiedge.net", "fastly.net",
  "cloudflare.com", "msecnd.net", "trafficmanager.net",
  "azurefd.net", "amazonaws.com", "googleusercontent.com"
]);
// Query 1: CommonSecurityLog (proxy/firewall with TLS inspection)
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceAction !in ("deny", "block")
| where RequestURL has "https://"
| extend DestinationDomain = tolower(DestinationHostName)
| extend RequestHostHeader = extract(@"Host:\s*([^\r\n]+)", 1, AdditionalExtensions)
| where isnotempty(RequestHostHeader)
| where DestinationDomain != tolower(RequestHostHeader)
| where DestinationDomain has_any (KnownCDNDomains) or RequestHostHeader has_any (KnownCDNDomains)
| extend SNIHost = DestinationDomain
| extend HTTPHost = tolower(RequestHostHeader)
| extend IsSNIBlank = (isempty(DestinationDomain) or DestinationDomain == "-")
| extend MismatchType = iff(IsSNIBlank, "Domainless_Fronting", "SNI_Host_Mismatch")
| project TimeGenerated, DeviceName, SourceIP, DestinationIP, SNIHost, HTTPHost,
          MismatchType, RequestURL, SourceUserName, BytesSent, BytesReceived,
          ApplicationProtocol, DeviceVendor
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow Application Log: Application Log Content

Required Tables

CommonSecurityLog DeviceNetworkEvents

False Positives

Legitimate CDN-hosted applications that use different front-end domains for load balancing or A/B testing where SNI and Host headers intentionally differ
Corporate split-tunneling VPN configurations where internal proxy rewrites Host headers for SSL inspection purposes
Web application frameworks or reverse proxies (nginx, HAProxy) that modify Host headers for internal routing, appearing as mismatches in proxy logs
Content delivery architectures using shared CDN certificates where the certificate domain differs from the requested content domain by design

Splunk

spl

| union
[
search index=proxy OR index=firewall OR index=network sourcetype IN ("bluecoat:proxysg:access:kv", "squid", "pan:traffic", "cisco:asa", "forcepoint:web")
  | eval dest_host=lower(coalesce(cs_host, dst_host, desthost, DestinationHostname, x_host_ip))
  | eval http_host=lower(coalesce(cs_uri_stem, http_host_header, host_header))
  | rex field=_raw "Host:\s*(?P<parsed_host>[^\r\n\s]+)"
  | eval http_host=coalesce(http_host, lower(parsed_host))
  | eval sni_field=lower(coalesce(tls_sni, ssl_sni, dest_host))
  | where isnotnull(sni_field) AND isnotnull(http_host)
  | where sni_field != http_host
  | eval is_cdn_sni=if(match(sni_field, "(azureedge\.net|cloudfront\.net|akamaiedge\.net|fastly\.net|cloudflare\.com|msecnd\.net|azurefd\.net|amazonaws\.com|googleusercontent\.com|trafficmanager\.net)"), 1, 0)
  | eval is_cdn_host=if(match(http_host, "(azureedge\.net|cloudfront\.net|akamaiedge\.net|fastly\.net|cloudflare\.com|msecnd\.net|azurefd\.net|amazonaws\.com|googleusercontent\.com|trafficmanager\.net)"), 1, 0)
  | where is_cdn_sni=1 OR is_cdn_host=1
  | eval mismatch_type="SNI_Host_Mismatch"
  | table _time, src_ip, dest_ip, sni_field, http_host, mismatch_type, url, user, bytes_in, bytes_out, sourcetype
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  (DestinationHostname="*.azureedge.net" OR DestinationHostname="*.cloudfront.net" OR DestinationHostname="*.akamaiedge.net" OR DestinationHostname="*.fastly.net" OR DestinationHostname="*.msecnd.net" OR DestinationHostname="*.azurefd.net")
  (Image="*\\tor.exe" OR Image="*\\meek.exe" OR Image="*\\obfs4proxy.exe" OR Image="*\\cobalt*" OR Image="*\\beacon*")
  | eval mismatch_type="Suspicious_Process_CDN_Connection"
  | eval src_ip=SourceIp, dest_ip=DestinationIp, sni_field=DestinationHostname, http_host="unknown"
  | table _time, host, User, Image, CommandLine, sni_field, dest_ip, mismatch_type
]
| eval detection_type="Domain_Fronting_T1090.004"
| sort - _time

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow Process: Process Creation Sysmon Event ID 3

Required Sourcetypes

bluecoat:proxysg:access:kv pan:traffic XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate CDN-hosted applications that use different front-end domains for load balancing or A/B testing where SNI and Host headers intentionally differ
Corporate split-tunneling VPN configurations where internal proxy rewrites Host headers for SSL inspection purposes
Web application frameworks or reverse proxies that modify Host headers for internal routing
Security tools (web scanners, penetration testing platforms) that intentionally craft non-standard TLS/HTTP header combinations during authorized testing

Elastic Security (EQL)

eql

/* Domain Fronting Detection — T1090.004
   Requires proxy/network logs with TLS inspection forwarded to Elastic
   tls.client.server_name = TLS SNI extension value
   http.request.headers.host = HTTP Host header (requires proxy or packet inspection)
   Packetbeat, Zeek HTTP+SSL logs, or Elastic Agent network integration satisfy both fields
*/
network where event.category == "network"
  and event.type == "connection"
  and network.transport == "tcp"
  and destination.port == 443
  and tls.client.server_name != null
  and tls.client.server_name != ""
  and http.request.headers.host != null
  and http.request.headers.host != ""
  and tls.client.server_name != http.request.headers.host
  and (
    tls.client.server_name like~ "*.azureedge.net"
    or tls.client.server_name like~ "*.cloudfront.net"
    or tls.client.server_name like~ "*.akamaiedge.net"
    or tls.client.server_name like~ "*.fastly.net"
    or tls.client.server_name like~ "*.cloudflare.com"
    or tls.client.server_name like~ "*.msecnd.net"
    or tls.client.server_name like~ "*.azurefd.net"
    or tls.client.server_name like~ "*.amazonaws.com"
    or tls.client.server_name like~ "*.googleusercontent.com"
    or http.request.headers.host like~ "*.azureedge.net"
    or http.request.headers.host like~ "*.cloudfront.net"
    or http.request.headers.host like~ "*.akamaiedge.net"
    or http.request.headers.host like~ "*.fastly.net"
    or http.request.headers.host like~ "*.cloudflare.com"
    or http.request.headers.host like~ "*.msecnd.net"
    or http.request.headers.host like~ "*.azurefd.net"
    or http.request.headers.host like~ "*.amazonaws.com"
    or http.request.headers.host like~ "*.googleusercontent.com"
  )

high severity medium confidence

Data Sources

Packetbeat network flow data with TLS and HTTP dissection enabled Zeek network sensor logs (conn.log, ssl.log, http.log) ingested via Elastic Agent or Filebeat Web proxy logs (Squid, Bluecoat, Zscaler) forwarded to Elastic with both TLS SNI and HTTP Host fields parsed Elastic Agent network events with packet capture integration on sensor hosts

Required Tables

packetbeat-* logs-zeek.network_traffic-* logs-network_traffic.tls-* .ds-logs-endpoint.events.network-*

False Positives

Multi-tenant CDN configurations legitimately use different SNI and Host values for internal routing between edge PoPs — Azure Front Door and AWS CloudFront both employ this architecture for some enterprise customer deployments, generating high-volume benign matches
Corporate SSL inspection proxies (Zscaler, Netskope, Symantec Blue Coat) re-encrypt traffic and may rewrite or split TLS SNI and HTTP Host fields as a side-effect of their inspection pipeline, creating apparent mismatches that do not represent domain fronting
Mobile application SDKs and embedded frameworks (React Native, Flutter, Xamarin) frequently establish TLS sessions using a CDN apex domain in the SNI while sending per-service subdomains in the Host header for API routing — common in apps using Cloudflare or AWS infrastructure

IBM QRadar (AQL)

sql

/* Domain Fronting Detection — T1090.004
   Requires custom event properties defined in QRadar:
     'TLS SNI'         — the TLS Server Name Indication extension value from proxy/firewall logs
     'HTTP Host Header' — the HTTP Host header value from proxy logs
   Configure via: Admin > Custom Event Properties > Add Property (Regex extraction from raw log)
   Tested log source types: Blue Coat ProxySG (186), Squid (191), Zscaler (232), Forcepoint Web (261)
*/
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip AS src_ip,
  destinationip AS dest_ip,
  destinationport AS dest_port,
  username,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  QIDNAME(qid) AS event_name,
  "TLS SNI" AS tls_sni,
  "HTTP Host Header" AS http_host_header,
  CASE
    WHEN ("TLS SNI" IS NULL OR "TLS SNI" = '' OR "TLS SNI" = '-')
         AND "HTTP Host Header" IS NOT NULL
      THEN 'Domainless_Fronting'
    ELSE 'SNI_Host_Mismatch'
  END AS mismatch_type
FROM events
WHERE
  destinationport = 443
  AND "TLS SNI" IS NOT NULL
  AND "HTTP Host Header" IS NOT NULL
  AND LOWER("TLS SNI") != LOWER("HTTP Host Header")
  AND (
    LOWER("TLS SNI") LIKE '%azureedge.net%'
    OR LOWER("TLS SNI") LIKE '%cloudfront.net%'
    OR LOWER("TLS SNI") LIKE '%akamaiedge.net%'
    OR LOWER("TLS SNI") LIKE '%fastly.net%'
    OR LOWER("TLS SNI") LIKE '%cloudflare.com%'
    OR LOWER("TLS SNI") LIKE '%msecnd.net%'
    OR LOWER("TLS SNI") LIKE '%azurefd.net%'
    OR LOWER("TLS SNI") LIKE '%amazonaws.com%'
    OR LOWER("TLS SNI") LIKE '%googleusercontent.com%'
    OR LOWER("HTTP Host Header") LIKE '%azureedge.net%'
    OR LOWER("HTTP Host Header") LIKE '%cloudfront.net%'
    OR LOWER("HTTP Host Header") LIKE '%akamaiedge.net%'
    OR LOWER("HTTP Host Header") LIKE '%fastly.net%'
    OR LOWER("HTTP Host Header") LIKE '%cloudflare.com%'
    OR LOWER("HTTP Host Header") LIKE '%msecnd.net%'
    OR LOWER("HTTP Host Header") LIKE '%azurefd.net%'
    OR LOWER("HTTP Host Header") LIKE '%amazonaws.com%'
    OR LOWER("HTTP Host Header") LIKE '%googleusercontent.com%'
  )
START '2000-01-01 00:00' STOP NOW
ORDER BY starttime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM event pipeline — proxy log sources (Blue Coat ProxySG, Squid, Zscaler, Forcepoint) Next-generation firewall logs with TLS inspection (Palo Alto Networks, Fortinet FortiGate, Check Point) Network IDS/IPS logs with SSL inspection (Sourcefire, Cisco Firepower)

Required Tables

events (QRadar normalized event store) Custom Event Properties: 'TLS SNI', 'HTTP Host Header' (must be defined and enabled per log source)

False Positives

Azure Front Door and Azure CDN services serving enterprise SaaS tenants routinely use a shared TLS certificate with an azurefd.net or azureedge.net SNI while routing requests to customer-specific Origin Host headers — this is documented CDN behaviour for multi-tenant ingress, not an attack
Content delivery architectures for streaming media (video CDNs, game update distribution) frequently negotiate TLS at a CDN edge PoP with one SNI while the HTTP-layer Host header identifies the origin backend, producing systematic false positives for specific destination IP ranges
Load balancer health checks and synthetic monitoring agents (Pingdom, Datadog Synthetics, AWS Route53 health checks) may probe HTTPS endpoints with mismatched SNI and Host values as a side-effect of monitoring CDN-fronted applications

Sumo Logic CSE

sql

/* Domain Fronting Detection — T1090.004
   Adjust _sourceCategory values to match your proxy/firewall log categories.
   The query handles two cases:
     (a) Structured logs where tls_sni and http_host are pre-parsed fields
     (b) Raw logs requiring regex extraction of Host header and TLS SNI
   For Sumo Logic CSE (Cloud SIEM Enterprise), replace field names with
   CSE normalized schema: srcDevice_ip, dstDevice_ip, http_url, user_username
*/
(_sourceCategory=network/proxy OR _sourceCategory=network/firewall
 OR _sourceCategory=proxy/bluecoat OR _sourceCategory=proxy/zscaler
 OR _sourceCategory=proxy/squid OR _sourceCategory=proxy/mcafee)
| parse regex field=_raw "\bHost:\s*(?P<parsed_http_host>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)tls[_\-]sni[=:\s]+(?P<parsed_tls_sni>[^\s,;|]+)" nodrop
| eval http_host = if(!isNull(http_host), http_host,
    if(!isNull(parsed_http_host), trim(parsed_http_host), null))
| eval tls_sni = if(!isNull(tls_sni), tls_sni,
    if(!isNull(parsed_tls_sni), trim(parsed_tls_sni), null))
| where !isNull(tls_sni) and tls_sni != ""
| where !isNull(http_host) and http_host != ""
| where toLowerCase(tls_sni) != toLowerCase(http_host)
| where tls_sni matches /(?i)(azureedge\.net|cloudfront\.net|akamaiedge\.net|fastly\.net|cloudflare\.com|msecnd\.net|azurefd\.net|amazonaws\.com|googleusercontent\.com)/
   OR http_host matches /(?i)(azureedge\.net|cloudfront\.net|akamaiedge\.net|fastly\.net|cloudflare\.com|msecnd\.net|azurefd\.net|amazonaws\.com|googleusercontent\.com)/
| eval mismatch_type = if(tls_sni == "-" or tls_sni == "", "Domainless_Fronting", "SNI_Host_Mismatch")
| eval src_ip  = coalesce(src_ip, c_ip, sourceip, srcip, "unknown")
| eval dest_ip = coalesce(dest_ip, s_ip, destip, dstip, "unknown")
| fields _messageTime, src_ip, dest_ip, tls_sni, http_host, mismatch_type, url, user
| sort by _messageTime desc

high severity medium confidence

Data Sources

Web proxy logs: Blue Coat ProxySG (KV or W3C format), Zscaler Internet Access (JSON), Squid (combined log format), McAfee Web Gateway Next-gen firewall logs with SSL inspection: Palo Alto Networks (TRAFFIC + URL logs), Fortinet FortiGate Sumo Logic CSE (Cloud SIEM Enterprise) normalized network event records

Required Tables

_sourceCategory=network/proxy (or equivalent per-environment category) _sourceCategory=network/firewall sec_record_* (Sumo Logic CSE normalized records)

False Positives

SaaS application platforms (Salesforce, Workday, ServiceNow) that deploy across multiple CDN providers may exhibit SNI/Host divergence for legitimate API traffic, particularly during CDN failover or geographic routing changes — these generate consistent false positives from specific known IP ranges
Browser HTTP/2 connection coalescing causes a single TLS session (with one SNI) to be reused for multiple requests to different hostnames sharing the same CDN IP address, producing apparent mismatches at the proxy layer that are an HTTP/2 protocol artifact rather than an attack
Third-party tag management systems (Google Tag Manager, Adobe Launch, Tealium) that serve JavaScript payloads via CDN often negotiate TLS with a CDN apex domain while the embedded scripts fetch from distinct product subdomains, creating persistent low-volume false positives from browser sessions

Google Chronicle / SecOps

yaral

rule domain_fronting_sni_host_mismatch_t1090_004 {
  meta:
    author          = "Detection Engineering"
    description     = "Detects domain fronting (T1090.004) via mismatch between the TLS SNI extension and the HTTP Host header in HTTPS connections traversing known CDN providers. Technique used by APT29 and tooling including Cobalt Strike, Mythic, and SMOKEDHAM to hide C2 traffic behind legitimate CDN certificate chains."
    mitre_attack_tactic    = "Command and Control"
    mitre_attack_technique = "T1090.004"
    severity        = "HIGH"
    confidence      = "MEDIUM"
    platforms       = "Windows, Linux, macOS"
    data_sources    = "Network proxy logs, TLS inspection logs forwarded to Chronicle"
    version         = "1.0"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.network.application_protocol = "HTTPS"

    // Bind SNI and HTTP Host to variables for comparison
    $sni  = $e.network.tls.client.server_name
    $host = $e.target.hostname

    // Both fields must be populated and differ from each other
    $sni  != ""
    $host != ""
    $sni  != $host

    // At least one of the two must be a known CDN domain
    (
      re.regex($sni,  `(?i)(azureedge\.net|cloudfront\.net|akamaiedge\.net|fastly\.net|cloudflare\.com|msecnd\.net|azurefd\.net|amazonaws\.com|googleusercontent\.com)`) or
      re.regex($host, `(?i)(azureedge\.net|cloudfront\.net|akamaiedge\.net|fastly\.net|cloudflare\.com|msecnd\.net|azurefd\.net|amazonaws\.com|googleusercontent\.com)`)
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM — NETWORK_HTTP events from proxy/firewall log feeds Web proxy logs ingested via Chronicle forwarder with TLS+HTTP parser (Blue Coat, Zscaler, Squid) Palo Alto Networks URL Filtering and Threat logs forwarded to Chronicle with TLS inspection fields Zeek network sensor logs ingested via Chronicle with ssl.log + http.log correlation

Required Tables

Chronicle UDM event type: NETWORK_HTTP UDM fields required: network.tls.client.server_name, target.hostname, network.application_protocol

False Positives

Google Cloud CDN, Firebase Hosting, and Google APIs use infrastructure where TLS SNI may reference a googleapis.com or googleusercontent.com edge domain while the HTTP Host header reflects a customer-specific bucket or API endpoint — high-volume false positives expected from Google Workspace and GCP workloads
Microsoft Azure Front Door serves enterprise tenants with wildcard TLS certificates presenting azurefd.net or azureedge.net in the SNI while routing requests to customer Origin Host headers — expected for any org with Azure Front Door-fronted applications
Akamai SureRoute and NetSession technologies used by software vendors (Adobe, Microsoft, Autodesk) for large file delivery legitimately produce SNI/Host mismatches as part of Akamai's internal CDN routing between edge and parent cache nodes

CrowdStrike LogScale (CQL)

cql

// Domain Fronting Behavioral Detection — T1090.004
// CrowdStrike Falcon + LogScale (Humio) CQL
//
// IMPORTANT: Falcon endpoint telemetry operates at the host kernel level and
// cannot directly observe TLS SNI vs HTTP Host header mismatches — that
// distinction requires network/proxy-layer inspection.
//
// This query detects the behavioral correlate: LOLBins and known C2-capable
// process images making DNS requests to CDN domains, which is the endpoint-
// visible signal for domain fronting C2 activity (matching the Sysmon EventCode=3
// pattern from the reference SPL). For full SNI/Host mismatch detection, also
// ingest Zscaler, Bluecoat, or similar proxy logs into your LogScale repository.
//
// Query: DnsRequest events for CDN domains correlated with suspicious processes

#event_simpleName=DnsRequest
| DomainName = /(?i)(azureedge\.net|cloudfront\.net|akamaiedge\.net|fastly\.net|cloudflare\.com|msecnd\.net|azurefd\.net|amazonaws\.com|googleusercontent\.com)/
| join(
    {
      #event_simpleName=ProcessRollup2
      | ImageFileName = /(?i)(powershell|cmd|rundll32|regsvr32|mshta|wscript|cscript|certutil|bitsadmin|curl|wget|python|ruby|perl|java|msbuild|installutil|regasm|regsvcs|cmstp)\.exe/
    },
    field=[aid, ContextProcessId],
    key=[aid, TargetProcessId],
    mode=inner
  )
| eval detection_type = "Suspicious_Process_CDN_DNS_T1090.004"
| select([_time, ComputerName, UserName, ImageFileName, CommandLine, DomainName, RemoteAddressIP4, detection_type])
| sort(field=_time, order=desc)

high severity low confidence

Data Sources

CrowdStrike Falcon endpoint telemetry — DnsRequest events (kernel-level DNS interception) CrowdStrike Falcon endpoint telemetry — ProcessRollup2 events (process creation with full image path and command line) CrowdStrike Falcon endpoint telemetry — NetworkConnectIP4 events (outbound TCP/UDP connections) Web proxy logs ingested into LogScale repository (for complementary SNI/Host mismatch detection)

Required Tables

Falcon telemetry stream: #event_simpleName=DnsRequest Falcon telemetry stream: #event_simpleName=ProcessRollup2 Falcon telemetry stream: #event_simpleName=NetworkConnectIP4 (optional enrichment)

False Positives

Developer toolchains (Python pip, npm, Cargo, Maven, Gradle) invoke python.exe, java.exe, or curl.exe to download packages from CDN-hosted registries (PyPI via fastly.net, npm via cloudflare.com) during builds and dependency resolution — these generate continuous high-volume matches on developer workstations and CI/CD build agents
IT management platforms (Microsoft Intune, SCCM, Tanium, Crowdstrike itself) use PowerShell and cmd.exe internally to download policy updates, agent upgrades, and configuration payloads from CDN infrastructure — expect persistent false positives from management-initiated processes on all managed endpoints
Endpoint security products (EDRs, AV engines, DLP agents) frequently spawn certutil.exe, powershell.exe, or embedded runtimes to retrieve threat intelligence updates, signature databases, and telemetry endpoints from CDN-hosted infrastructure — these are indistinguishable from suspicious activity at the process+DNS level alone

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1090.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Domain Fronting

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections