Using CloudFront to Relay Cobalt Strike Traffic
Summary
This article discusses the technique of Domain Fronting, which allows Command and Control (C2) traffic to blend in with a target's legitimate traffic. It specifically details how Amazon CloudFront can be used to relay Cobalt Strike traffic, a popular tool for penetration testing and adversary simulation.
IFF Assessment
FOE
This article describes a technique that can be used by attackers to evade detection by blending malicious traffic with legitimate cloud-based traffic.
Defender Context
Defenders need to be aware of domain fronting techniques, as they are used by adversaries to disguise C2 communications and evade network defenses. Monitoring egress traffic for unusual patterns, especially those involving CDNs or cloud services, is crucial for detection.