JA3/JA3S Hashes

The TLS negotiation between a client and a server has a fingerprint. The fingerprint can be used to identify the type of encrypted communication.
TLS is used to encrypt communication for privacy and security. HTTP uses TLS in HTTPS as do most command and controls frameworks.To initiate a TLS session, a client will send a TLS Client Hello packet after the TCP 3-way handshake. This packet and the way in which it is generated is dependent on the client application. The server will respond with a TLS Server Hello packet that is formulated based on server-side libraries, configurations, and the Client Hello. Because TLS negotiations are transmitted in the clear, it’s possible to fingerprint and identify client applications.
Things to look for:
Frequently changing JA3/JA3S hashes
Numerous JA3 hashes from a single host
Unvarying and unknown JA3/JA3s hashes
References:
​https://github.com/salesforce/ja3​
​https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967​
​https://engineering.salesforce.com/open-sourcing-ja3-92c9e53c3c41​
​https://www.vectra.ai/blogpost/is-there-still-value-in-ja3-fingerprinting 
Last modified 2yr ago