Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.
Back to all detections
Command & Control

Multi-home Fronted Tunnel

Multi-home Fronted Tunnel
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

The Multi-home Fronted Tunnel detection identifies the use of multiple domain fronting techniques to hide command and control (C2) traffic. This technique involves using several different domains to disguise the true destination of network traffic, often leveraging content delivery networks (CDNs) to make malicious traffic appear legitimate. This method helps attackers evade detection by blending their traffic with regular CDN traffic.

Triggers

  • An internal host is communicating with an outside IP using HTTPS where another protocol is running over the top of the HTTPS sessions. The sessions appear to go to different domains but are all served by a single Content Delivery Network (CDN) and all utilize a JA3 hash which is only used by this host with this one CDN.
  • This represents a hidden tunnel involving multiple shorter sessions over a longer period of time mimicking normal encrypted Web traffic

Possible Root Causes

  • A targeted attack may use hidden tunnels to hide communication with command and control servers over TLS on port 443 and other ports  
  • Intentionally installed software is using a domain-fronted hidden tunnel utilizing multiple benign domains to bypass expected firewall rules

Business Impact

  • The use of a hidden tunnel with multi-domain fronting is quite unusual, and it represents significant risk as the intention is to bypass security controls
  • Hidden tunnels used as part of a targeted attack are meant to slip by your perimeter security controls and indicate a sophisticated attacker

Steps to Verify

  • Ask the user of the host whether they are using hidden tunnel software for any purpose and if not, whether they intentionally connected to the list of domains in the detection (the JA3- hash in the detection may provide a clue to the software utilized)
  • Before removing the offending software via antivirus or reimaging, take a memory snapshot for future analysis of the incident
  • If the behavior reappears shortly after a reimaging, this may be a hardware/BIOS tunnel
Multi-home Fronted Tunnel

Possible root causes

Malicious Detection

  • An attacker using multi-home fronted tunnels to communicate with external command and control servers while evading detection.
  • Malware on an internal host using domain fronting to maintain a persistent connection with C2 servers.
  • Compromised internal machines using advanced evasion techniques to bypass network security measures.

Benign Detection

  • Security or network management tools performing legitimate tasks that involve complex traffic routing.
  • Applications or services using CDNs for load balancing and optimization, resulting in traffic patterns similar to multi-home fronting.
  • Misconfigured software inadvertently generating traffic that resembles multi-home fronted tunnels.
Multi-home Fronted Tunnel

Example scenarios

Scenario 1: An internal host communicates with multiple domains via HTTPS, with traffic patterns showing frequent changes in destination domains but consistent JA3 hashes. Further investigation reveals malware using domain fronting to evade detection while maintaining contact with C2 servers.

Scenario 2: A security audit detects HTTPS sessions from an internal host to multiple domains within a short period. Analysis shows these sessions contain hidden command and control traffic, indicating the host is compromised and using multi-home fronting for evasion.

Multi-home Fronted Tunnel

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Data Exfiltration

Hidden tunnels can be used to exfiltrate sensitive data from the organization, leading to potential financial and reputational damage.

Unauthorized Remote Access

Attackers can use these tunnels to maintain persistent remote access, allowing them to control compromised hosts undetected.

Bypassing Security Controls

The use of encrypted tunnels through multiple domains can bypass traditional network security measures, increasing the risk of undetected malicious activity.

Multi-home Fronted Tunnel

Steps to investigate

Analyze Network Traffic Logs

Review logs for traffic patterns involving multiple domain fronting, focusing on consistent JA3 hashes and unusual domain changes within short intervals.

Inspect the Host

Investigate the internal host generating the traffic for signs of compromise, such as malware, unauthorized software, or unexpected configurations.

Check for Associated Indicators

Look for other signs of compromise, such as abnormal login attempts, unusual system behavior, or other related detections.

Consult with IT and Security Teams

Confirm if any authorized activities or legitimate services could explain the detected multi-home fronted tunnel behavior.

Multi-home Fronted Tunnel

MITRE ATT&CK techniques covered

Data from Local System

T1005

Clipboard Data

T1115

Application Layer Protocol

T1071

Video Capture

T1125

Screen Capture

T1113

Application Window Discovery

T1010

Boot or Logon Initialization Scripts

T1037

Multi-Factor Authentication Interception

T1111

Protocol Tunneling

T1572

Encrypted Channel

T1573

User Execution

T1204

Input Capture

T1056

Data Obfuscation

T1001

Non-Standard Port

T1571

Command and Scripting Interpreter

T1059

Software Discovery

T1518

Browser Extensions

T1176

Audio Capture

T1123

Fallback Channels

T1008

Data Encoding

T1132
Multi-home Fronted Tunnel

Related detections

Hidden DNS Tunnel

Hidden HTTP Tunnel

Hidden HTTPS Tunnel

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs

What is a Multi-home Fronted Tunnel?

A Multi-home Fronted Tunnel involves using multiple domains, often leveraging CDNs, to disguise the true destination of network traffic, making it difficult to detect malicious communications with command and control servers.

What are the common signs of a Multi-home Fronted Tunnel?

Common signs include frequent domain changes within HTTPS sessions, consistent JA3 hashes across different domains, and HTTPS traffic that appears legitimate but shows signs of protocol tunneling.

Can legitimate software trigger this detection?

Yes, security tools, applications using CDNs for optimization, and misconfigured software can generate traffic resembling multi-home fronted tunnels.

How does Vectra AI identify Multi-home Fronted Tunnels?

Vectra AI uses advanced AI algorithms and machine learning to analyze HTTPS traffic patterns and identify anomalies indicative of multi-home fronting activities.

What is the business impact of a Multi-home Fronted Tunnel?

It can lead to data exfiltration, unauthorized remote access, and bypassing security controls, resulting in financial and reputational damage.

How can I detect a Multi-home Fronted Tunnel in my network?

Detect Multi-home Fronted Tunnels by monitoring for traffic patterns involving frequent changes in destination domains, consistent JA3 hashes, and unusual HTTPS traffic indicative of tunneling.

Why are Multi-home Fronted Tunnels a significant threat?

They can be used for data exfiltration, maintaining persistent unauthorized remote access, and bypassing traditional network security controls, posing significant risks to the organization.

What steps should I take if I detect a Multi-home Fronted Tunnel?

Investigate the source and nature of the traffic, check the host for signs of compromise, review network traffic logs, and consult with IT and security teams to verify if the activity is legitimate.

What tools can help verify the presence of a Multi-home Fronted Tunnel?

Tools such as network traffic analysis, firewall logs, and intrusion detection systems can help verify and investigate suspicious multi-home fronted tunnel activities.

How can I prevent Multi-home Fronted Tunnels?

Implement robust network monitoring and alerting, enforce strict access controls, regularly conduct security assessments, and ensure timely patching and updating of systems to minimize vulnerabilities.