RITA does not record the Host Header/ TLS SNI of a domain fronted beacon

[Zalgo2462]

RITA has the ability to detect beacons to domain names which should help with finding C2 channels which utilize DNS to distribute their traffic. However, if an attacker creates a domain fronted channel as described by https://attack.mitre.org/techniques/T1090/004/, RITA will record the beacon as heading towards the "safe" domain only (the one that can be observed via DNS).

Solutions:

• For domain fronting which abuses the TLS SNI header:
  • Add the IP of each SSL server to the hostname_map using the ServerName attribute from the SSL log.
  • Then, after fqdn beacon analysis, we will see an additional entry to true C2 domain.
• For domain fronting which abuses the HTTP Host header (AKA "domainless" in the MITRE posting):
  • Note: Most CDNs block connections with mismatched SNI's and Host headers
  • Requires breaking TLS with a middle box
  • Add the IP of each HTTP server to the hostname_map using the Host attribute from the HTTP log
  • Then, after fqdn beacon analysis, we will see an additional entry to the true C2 domain

[joswr1ght]

Any word on introducing SNI analysis as a feature for RITA to use for deny list identification, DNS subdomain analysis, etc?