Command and control

C2, relates and covers the command and control channel itself, as well as the content transferred.

CloudFlare for Command and Control

CloudFlare has a free service that protects your website against DDoS attacks, crawling, brute-force, and generic web application attacks. That's all great, but it also offers quick content delivery through its fast network, URL rewrite, caching rules, firewall rules, user-agent blocking, analytics, and even SSL certificates issued by CloudFlare! For »


What the... IPFuscation was a technique that we just named on Twitter after @LucaBongiorni demanded a name! It's a technique that allows for IP addresses to be represented in hexadecimal, octal, or a combination, instead of the decimal encoding that we are used to. What can we do? Normal: ping »

Host Header Manipulation

TLDR; Host header obfuscation When attacking a target, you never know what sort of rules the blue team has in place to detect you. With a rise in Domain Fronting, which meant that more people were manipuating host headers, I decided to look a bit more into what you can »

Vultr Domain Hijacking

TLDR: Vultr does not verify domain ownership when adding new domains. This allows the hijack of abandoned domains by pretty much anyone with an account and verified payment method Disclosure Timeline 2018/04/09: Reported to Vultr to see if they will fix and accept under bug bounty program. 2018/ »

Domain Fronting: Who Am I?

TLDR; Set whatever Host header you want in your Domain Fronting packet when you use CloudFront Note: It’s 1:31 am, I do my independent research to contribute to the community in my evenings. So give me a break if it all sounds like I’m talking to myself. »

Validated CloudFront SSL Domains

You may have heard of Domain Fronting, and some of the work that I’ve previously done. Then came along and showed us how to find 93k frontable CloudFront domains. I mentioned to him that not »

Alibaba CDN Domain Fronting

Author: @vysecurity It’s been a while since Domain Fronting has been out, we’ve been discussing the idea of using various CDNs such as Azure, Google App Engine, and Amazon CloudFront for domain fronting. That’s all become a reality now, as attackers move to better command and control »

Finding Target-relevant Domain Fronts

My last blog post on finding high-value target domains that could be used for domain fronting was quite popular — found here. Although there are a few popular domains that everyone uses, I’ve also published quite a large list on GitHub for public consumption and defenders to watch for. This »

Domain Fronting Via CloudFront Alternate Domains

Note: posted on February 2017 These are not the domains you are looking for… A technique known as Domain Fronting was recently documented for circumventing censorship restrictions by Open Whisper Systems. The benefits of this technique for use in adversary simulations was recognised by several people, including Optiv and Raphael »