rita
rita copied to clipboard
RITA does not record the Host Header/ TLS SNI of a domain fronted beacon
RITA has the ability to detect beacons to domain names which should help with finding C2 channels which utilize DNS to distribute their traffic. However, if an attacker creates a domain fronted channel as described by https://attack.mitre.org/techniques/T1090/004/, RITA will record the beacon as heading towards the "safe" domain only (the one that can be observed via DNS).
Solutions:
- For domain fronting which abuses the TLS SNI header:
- Add the IP of each SSL server to the
hostname_map
using theServerName
attribute from the SSL log. - Then, after fqdn beacon analysis, we will see an additional entry to true C2 domain.
- Add the IP of each SSL server to the
- For domain fronting which abuses the HTTP Host header (AKA "domainless" in the MITRE posting):
- Note: Most CDNs block connections with mismatched SNI's and Host headers
- Requires breaking TLS with a middle box
- Add the IP of each HTTP server to the
hostname_map
using theHost
attribute from the HTTP log - Then, after fqdn beacon analysis, we will see an additional entry to the true C2 domain
Any word on introducing SNI analysis as a feature for RITA to use for deny list identification, DNS subdomain analysis, etc?