Question about FQDN going away

Question

Question about FQDN going away

kyleEeeEEeeee opened this issue 2 years ago · 5 comments

Hello,

Does the SNI module also grab http host names? I was tracking that the FQDN would pick up on a malicious C2 domain switching IP infrastructure. Does SNI cover this or is that a gap now?

Answer 1 · 2023-04-18T17:42:43.000Z

Any Answer to this?

Answer 2 · 2023-05-01T12:55:38.000Z

Hello, just checking in to see if there is an answer to this question?

Answer 3 · 2023-05-03T01:07:22.000Z

Hello all, the SNI module grabs hostnames from the HTTP host header and the TLS server name indication.

If a C2 channel uses HTTP or TLS, the corresponding FQDN will pop up in the SNI module.

On the other hand, if a C2 channel is not using HTTP or TLS, RITA will not be able to track it as it bounces between IP addresses.
In practice, we find most C2 channels which bounce between IP addresses run with TLS enabled.

Answer 4 · 2023-05-03T13:54:20.000Z

Great thanks! That's what we were hoping. We love RITA :)

Answer 5 · 2023-05-03T22:20:00.000Z

Sorry for the lag time in responding to this. If you'd like to get a hold of us a bit quicker, please check out our Discord at https://discord.gg/threathunter