T1090.004 CrowdStrike LogScale · LogScale

Detect Domain Fronting in CrowdStrike LogScale

Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation, 'domainless' fronting, utilizes a blank SNI field. Real-world actors including APT29 and tools like Cobalt Strike, Mythic, and SMOKEDHAM have leveraged domain fronting to hide C2 traffic behind legitimate CDN infrastructure.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1090 Proxy
Sub-technique
T1090.004 Domain Fronting
Canonical reference
https://attack.mitre.org/techniques/T1090/004/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Domain Fronting Behavioral Detection — T1090.004
// CrowdStrike Falcon + LogScale (Humio) CQL
//
// IMPORTANT: Falcon endpoint telemetry operates at the host kernel level and
// cannot directly observe TLS SNI vs HTTP Host header mismatches — that
// distinction requires network/proxy-layer inspection.
//
// This query detects the behavioral correlate: LOLBins and known C2-capable
// process images making DNS requests to CDN domains, which is the endpoint-
// visible signal for domain fronting C2 activity (matching the Sysmon EventCode=3
// pattern from the reference SPL). For full SNI/Host mismatch detection, also
// ingest Zscaler, Bluecoat, or similar proxy logs into your LogScale repository.
//
// Query: DnsRequest events for CDN domains correlated with suspicious processes

#event_simpleName=DnsRequest
| DomainName = /(?i)(azureedge\.net|cloudfront\.net|akamaiedge\.net|fastly\.net|cloudflare\.com|msecnd\.net|azurefd\.net|amazonaws\.com|googleusercontent\.com)/
| join(
    {
      #event_simpleName=ProcessRollup2
      | ImageFileName = /(?i)(powershell|cmd|rundll32|regsvr32|mshta|wscript|cscript|certutil|bitsadmin|curl|wget|python|ruby|perl|java|msbuild|installutil|regasm|regsvcs|cmstp)\.exe/
    },
    field=[aid, ContextProcessId],
    key=[aid, TargetProcessId],
    mode=inner
  )
| eval detection_type = "Suspicious_Process_CDN_DNS_T1090.004"
| select([_time, ComputerName, UserName, ImageFileName, CommandLine, DomainName, RemoteAddressIP4, detection_type])
| sort(field=_time, order=desc)
high severity low confidence

CrowdStrike Falcon LogScale CQL query detecting behavioral indicators of domain fronting (T1090.004) from Falcon endpoint telemetry. Because Falcon agents capture events at the kernel level and cannot observe TLS SNI vs HTTP Host header differences (which require network-layer inspection), this query detects the endpoint-visible proxy signal: LOLBins, scripting engines, and known C2-capable processes making DNS requests to known CDN provider domains. This maps to the Sysmon EventCode=3 / suspicious-process CDN connection logic in the reference SPL. The join correlates DnsRequest events (which capture the target domain) with ProcessRollup2 events (which capture the full process image path and command line) on (aid, ContextProcessId)/(aid, TargetProcessId). For comprehensive domain fronting detection in LogScale, complement this query by ingesting proxy logs (Zscaler, Bluecoat) that expose the SNI/Host mismatch directly.

Data Sources

CrowdStrike Falcon endpoint telemetry — DnsRequest events (kernel-level DNS interception)CrowdStrike Falcon endpoint telemetry — ProcessRollup2 events (process creation with full image path and command line)CrowdStrike Falcon endpoint telemetry — NetworkConnectIP4 events (outbound TCP/UDP connections)Web proxy logs ingested into LogScale repository (for complementary SNI/Host mismatch detection)

Required Tables

Falcon telemetry stream: #event_simpleName=DnsRequestFalcon telemetry stream: #event_simpleName=ProcessRollup2Falcon telemetry stream: #event_simpleName=NetworkConnectIP4 (optional enrichment)

False Positives & Tuning

  • Developer toolchains (Python pip, npm, Cargo, Maven, Gradle) invoke python.exe, java.exe, or curl.exe to download packages from CDN-hosted registries (PyPI via fastly.net, npm via cloudflare.com) during builds and dependency resolution — these generate continuous high-volume matches on developer workstations and CI/CD build agents
  • IT management platforms (Microsoft Intune, SCCM, Tanium, Crowdstrike itself) use PowerShell and cmd.exe internally to download policy updates, agent upgrades, and configuration payloads from CDN infrastructure — expect persistent false positives from management-initiated processes on all managed endpoints
  • Endpoint security products (EDRs, AV engines, DLP agents) frequently spawn certutil.exe, powershell.exe, or embedded runtimes to retrieve threat intelligence updates, signature databases, and telemetry endpoints from CDN-hosted infrastructure — these are indistinguishable from suspicious activity at the process+DNS level alone
Download portable Sigma rule (.yml)

Other platforms for T1090.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Domain Fronting HTTP Request with curl

    Expected signal: Sysmon Event ID 3 (Network Connection): connection to azureedge.net IP. Network proxy logs (if TLS inspection enabled): SNI=legitimate-front.azureedge.net, Host header=different-domain.azureedge.net — mismatch detected. DNS query for legitimate-front.azureedge.net logged in Sysmon Event ID 22.

  2. Test 2Install and Run meek-client (Tor Domain Fronting Plugin)

    Expected signal: Sysmon Event ID 1: meek-client.exe process creation with -WindowStyle Hidden equivalent arguments including --front=ajax.aspnetcdn.com and --url=https://meek.azureedge.net/. Sysmon Event ID 3: meek-client.exe connecting to azureedge.net on port 443. Sysmon Event ID 22: DNS queries for ajax.aspnetcdn.com and meek.azureedge.net. PowerShell Event ID 4104 from the Invoke-WebRequest download cradle.

  3. Test 3Cobalt Strike-style Domain Fronting HTTP Request via PowerShell

    Expected signal: Sysmon Event ID 3: powershell.exe network connection to ajax.aspnetcdn.com (IP of CDN). Sysmon Event ID 22: DNS query for ajax.aspnetcdn.com. Process Event ID 1 for PowerShell with above CommandLine. Proxy logs (with TLS inspection): Host header value 'c2.attacker-domain.example.com' visible separately from SNI 'ajax.aspnetcdn.com' — mismatch triggers alert.

  4. Test 4Detect Domainless Fronting via Blank SNI Field

    Expected signal: Network logs: TLS ClientHello packet with no SNI extension (empty server_name field in TLS handshake). Proxy logs: destination hostname blank or '-' in the SNI field, while HTTP Host header contains 'target-domain.cloudfront.net'. Sysmon Event ID 3: connection to cloudfront.net IP without associated hostname from DNS.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1090.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1090Proxy

Related Sub-techniques

T1090.001Internal ProxyT1090.002External ProxyT1090.003Multi-hop Proxy

Related Techniques

T1090ProxyT1090.001Internal ProxyT1090.003Multi-hop ProxyT1071.001Web ProtocolsT1573.002Asymmetric CryptographyT1568.002Domain Generation AlgorithmsT1102Web ServiceT1105Ingress Tool TransferT1027Obfuscated Files or Information

Same Tactic: Command and Control

Popular Detections