RITA has the ability to detect beacons to domain names which should help with finding C2 channels which utilize DNS to distribute their traffic. However, if an attacker creates a domain fronted channel as described by https://attack.mitre.org/techniques/T1090/004/, RITA will record the beacon as heading towards the "safe" domain only (the one that can be observed via DNS).
Solutions:
For domain fronting which abuses the TLS SNI header:
Add the IP of each SSL server to the hostname_map using the ServerName attribute from the SSL log.
Then, after fqdn beacon analysis, we will see an additional entry to true C2 domain.
For domain fronting which abuses the HTTP Host header (AKA "domainless" in the MITRE posting):
Note: Most CDNs block connections with mismatched SNI's and Host headers
Requires breaking TLS with a middle box
Add the IP of each HTTP server to the hostname_map using the Host attribute from the HTTP log
Then, after fqdn beacon analysis, we will see an additional entry to the true C2 domain
RITA has the ability to detect beacons to domain names which should help with finding C2 channels which utilize DNS to distribute their traffic. However, if an attacker creates a domain fronted channel as described by https://attack.mitre.org/techniques/T1090/004/, RITA will record the beacon as heading towards the "safe" domain only (the one that can be observed via DNS).
Solutions:
hostname_map
using theServerName
attribute from the SSL log.hostname_map
using theHost
attribute from the HTTP log