T1090.004 Sumo Logic CSE · Sumo

Detect Domain Fronting in Sumo Logic CSE

Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation, 'domainless' fronting, utilizes a blank SNI field. Real-world actors including APT29 and tools like Cobalt Strike, Mythic, and SMOKEDHAM have leveraged domain fronting to hide C2 traffic behind legitimate CDN infrastructure.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1090 Proxy
Sub-technique
T1090.004 Domain Fronting
Canonical reference
https://attack.mitre.org/techniques/T1090/004/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
/* Domain Fronting Detection — T1090.004
   Adjust _sourceCategory values to match your proxy/firewall log categories.
   The query handles two cases:
     (a) Structured logs where tls_sni and http_host are pre-parsed fields
     (b) Raw logs requiring regex extraction of Host header and TLS SNI
   For Sumo Logic CSE (Cloud SIEM Enterprise), replace field names with
   CSE normalized schema: srcDevice_ip, dstDevice_ip, http_url, user_username
*/
(_sourceCategory=network/proxy OR _sourceCategory=network/firewall
 OR _sourceCategory=proxy/bluecoat OR _sourceCategory=proxy/zscaler
 OR _sourceCategory=proxy/squid OR _sourceCategory=proxy/mcafee)
| parse regex field=_raw "\bHost:\s*(?P<parsed_http_host>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)tls[_\-]sni[=:\s]+(?P<parsed_tls_sni>[^\s,;|]+)" nodrop
| eval http_host = if(!isNull(http_host), http_host,
    if(!isNull(parsed_http_host), trim(parsed_http_host), null))
| eval tls_sni = if(!isNull(tls_sni), tls_sni,
    if(!isNull(parsed_tls_sni), trim(parsed_tls_sni), null))
| where !isNull(tls_sni) and tls_sni != ""
| where !isNull(http_host) and http_host != ""
| where toLowerCase(tls_sni) != toLowerCase(http_host)
| where tls_sni matches /(?i)(azureedge\.net|cloudfront\.net|akamaiedge\.net|fastly\.net|cloudflare\.com|msecnd\.net|azurefd\.net|amazonaws\.com|googleusercontent\.com)/
   OR http_host matches /(?i)(azureedge\.net|cloudfront\.net|akamaiedge\.net|fastly\.net|cloudflare\.com|msecnd\.net|azurefd\.net|amazonaws\.com|googleusercontent\.com)/
| eval mismatch_type = if(tls_sni == "-" or tls_sni == "", "Domainless_Fronting", "SNI_Host_Mismatch")
| eval src_ip  = coalesce(src_ip, c_ip, sourceip, srcip, "unknown")
| eval dest_ip = coalesce(dest_ip, s_ip, destip, dstip, "unknown")
| fields _messageTime, src_ip, dest_ip, tls_sni, http_host, mismatch_type, url, user
| sort by _messageTime desc
high severity medium confidence

Sumo Logic query detecting domain fronting (T1090.004) by parsing TLS SNI and HTTP Host header fields from web proxy and firewall logs. The query handles both pre-parsed structured log formats (where tls_sni and http_host are already extracted fields) and unstructured raw logs (where the query uses regex to extract them). Fires when a CDN domain appears in either the SNI or Host field but the two values diverge, matching the primary signal for domain fronting C2 traffic. Also detects domainless fronting where the SNI field is absent or blank. Works with Blue Coat ProxySG (KV pairs), Zscaler (JSON), Squid (combined log), and McAfee Web Gateway log formats.

Data Sources

Web proxy logs: Blue Coat ProxySG (KV or W3C format), Zscaler Internet Access (JSON), Squid (combined log format), McAfee Web GatewayNext-gen firewall logs with SSL inspection: Palo Alto Networks (TRAFFIC + URL logs), Fortinet FortiGateSumo Logic CSE (Cloud SIEM Enterprise) normalized network event records

Required Tables

_sourceCategory=network/proxy (or equivalent per-environment category)_sourceCategory=network/firewallsec_record_* (Sumo Logic CSE normalized records)

False Positives & Tuning

  • SaaS application platforms (Salesforce, Workday, ServiceNow) that deploy across multiple CDN providers may exhibit SNI/Host divergence for legitimate API traffic, particularly during CDN failover or geographic routing changes — these generate consistent false positives from specific known IP ranges
  • Browser HTTP/2 connection coalescing causes a single TLS session (with one SNI) to be reused for multiple requests to different hostnames sharing the same CDN IP address, producing apparent mismatches at the proxy layer that are an HTTP/2 protocol artifact rather than an attack
  • Third-party tag management systems (Google Tag Manager, Adobe Launch, Tealium) that serve JavaScript payloads via CDN often negotiate TLS with a CDN apex domain while the embedded scripts fetch from distinct product subdomains, creating persistent low-volume false positives from browser sessions
Download portable Sigma rule (.yml)

Other platforms for T1090.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Domain Fronting HTTP Request with curl

    Expected signal: Sysmon Event ID 3 (Network Connection): connection to azureedge.net IP. Network proxy logs (if TLS inspection enabled): SNI=legitimate-front.azureedge.net, Host header=different-domain.azureedge.net — mismatch detected. DNS query for legitimate-front.azureedge.net logged in Sysmon Event ID 22.

  2. Test 2Install and Run meek-client (Tor Domain Fronting Plugin)

    Expected signal: Sysmon Event ID 1: meek-client.exe process creation with -WindowStyle Hidden equivalent arguments including --front=ajax.aspnetcdn.com and --url=https://meek.azureedge.net/. Sysmon Event ID 3: meek-client.exe connecting to azureedge.net on port 443. Sysmon Event ID 22: DNS queries for ajax.aspnetcdn.com and meek.azureedge.net. PowerShell Event ID 4104 from the Invoke-WebRequest download cradle.

  3. Test 3Cobalt Strike-style Domain Fronting HTTP Request via PowerShell

    Expected signal: Sysmon Event ID 3: powershell.exe network connection to ajax.aspnetcdn.com (IP of CDN). Sysmon Event ID 22: DNS query for ajax.aspnetcdn.com. Process Event ID 1 for PowerShell with above CommandLine. Proxy logs (with TLS inspection): Host header value 'c2.attacker-domain.example.com' visible separately from SNI 'ajax.aspnetcdn.com' — mismatch triggers alert.

  4. Test 4Detect Domainless Fronting via Blank SNI Field

    Expected signal: Network logs: TLS ClientHello packet with no SNI extension (empty server_name field in TLS handshake). Proxy logs: destination hostname blank or '-' in the SNI field, while HTTP Host header contains 'target-domain.cloudfront.net'. Sysmon Event ID 3: connection to cloudfront.net IP without associated hostname from DNS.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1090.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1090Proxy

Related Sub-techniques

T1090.001Internal ProxyT1090.002External ProxyT1090.003Multi-hop Proxy

Related Techniques

T1090ProxyT1090.001Internal ProxyT1090.003Multi-hop ProxyT1071.001Web ProtocolsT1573.002Asymmetric CryptographyT1568.002Domain Generation AlgorithmsT1102Web ServiceT1105Ingress Tool TransferT1027Obfuscated Files or Information

Same Tactic: Command and Control

Popular Detections