Skill

hunting-for-domain-fronting-c2-traffic

From asi

Detects domain fronting C2 traffic by analyzing SNI vs HTTP Host mismatches in proxy logs and TLS certificates using pyOpenSSL. For threat hunting and network security analysis.

Python

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Domain fronting (MITRE ATT&CK T1090.004) is a technique where attackers use different domain names in the TLS SNI field and the HTTP Host header to disguise C2 traffic behind legitimate CDN-hosted domains. This skill detects domain fronting by parsing proxy/web gateway logs for SNI-Host header mismatches, analyzing TLS certificates for CDN provider identification, flagging connections where the...

SKILL.md

Similar Skills

hunting-for-domain-fronting-c2-traffic

5.9k

Detects domain fronting C2 traffic in proxy logs via SNI-Host mismatches and TLS cert inspection with pyOpenSSL. Flags CDN-disguised threats for SOC threat hunting.

3 files

cybersecurity-skills

hunting-for-domain-fronting-c2-traffic

Detects domain fronting C2 traffic by analyzing proxy logs for SNI and HTTP Host mismatches, using pyOpenSSL for TLS certificate inspection and CDN provider identification. Useful for threat hunting.

3 files

cybersecurity-skills-zh

hunting-for-command-and-control-beaconing

Detects C2 beaconing patterns in network traffic using frequency analysis, jitter detection, and domain reputation to identify compromised endpoints. Useful for threat hunting and incident response on suspicious connections.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Hunting for Domain Fronting C2 Traffic

Overview

When to Use

When investigating security incidents that require hunting for domain fronting c2 traffic

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Web proxy or secure web gateway logs with SNI and Host header fields

Python 3.8+ with pyOpenSSL and cryptography libraries

TLS inspection enabled on proxy for Host header visibility

CDN provider IP range lists (CloudFront, Azure CDN, Cloudflare)

Steps

Parse proxy logs for connections with both SNI and Host header fields

Compare SNI domain against HTTP Host header for mismatches

Extract TLS certificate Subject and SAN fields using pyOpenSSL

Identify CDN-hosted connections via certificate issuer and IP ranges

Flag high-confidence domain fronting where SNI and Host differ on CDN IPs

Score alerts based on domain reputation differential

Generate detection report with network flow context

Expected Output

JSON report containing detected domain fronting indicators with SNI-Host pairs, certificate details, CDN provider identification, confidence scores, and MITRE ATT&CK technique mapping.