Intro
What is Domain Fronting?
Domain fronting makes the C2 (aka Command and Control) traffic from the victim computer looking like that it is calling to the highly trusted domains but it is actually calling back to the attacker’s C2 server domain.
Why is CDN used for Domain Fronting?
CDN (Content Delivery Network) domains are usually highly trusted, and it is difficult to block all the trusted CDN because it may restrict end users to access some legitimate websites. For this reason, CDN domains would be a good choice for establishing an egress connection from a victim’s network in many cases.
Infrastructure Setup
1) Cobalt Strike Server Setup (Cloud VM)
First, you need to create a server for your Cobalt Strike server. For this demo, I have created an AWS EC2 that is configured to use external (public) IP.
$ uname -a
Linux ip-xx 5.4.0-1029-aws #30-Ubuntu SMP Tue Oct 20 10:06:38 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux$ curl ipconfig.io
3.21.xx.xx <-- AWS EC2 Public IP
