C2 Matrix
  • The C2 Matrix
  • About
  • SANS Slingshot C2 Matrix VM
  • Contribute
  • Feedback
  • Lab Infrastructure
    • C2 Matrix Eval Lab
    • Basic Lab
    • Virtual Machines with C2s
    • Docker
    • Resources
  • C2
    • Caldera
    • Covenant
    • Deimos
    • Empire3
    • Empire5
    • Havoc
    • ibombshell
    • Koadic
    • Merlin
    • Mythic
    • Nuages
    • PoshC2
    • PowerHub
    • SilentTrinity
    • Sliver
    • SCYTHE
    • TrevorC2
  • Attack Infrastructure
    • Resources
    • Redirectors/Relays
  • Detection
    • Basics
    • Beacons
    • JA3/JA3S Hashes
    • JARM
Powered by GitBook
On this page

Was this helpful?

  1. Detection

JA3/JA3S Hashes

PreviousBeaconsNextJARM

Last updated 5 years ago

Was this helpful?

The TLS negotiation between a client and a server has a fingerprint. The fingerprint can be used to identify the type of encrypted communication.

TLS is used to encrypt communication for privacy and security. HTTP uses TLS in HTTPS as do most command and controls frameworks.To initiate a TLS session, a client will send a TLS Client Hello packet after the TCP 3-way handshake. This packet and the way in which it is generated is dependent on the client application. The server will respond with a TLS Server Hello packet that is formulated based on server-side libraries, configurations, and the Client Hello. Because TLS negotiations are transmitted in the clear, it’s possible to fingerprint and identify client applications.

Things to look for:

  • Frequently changing JA3/JA3S hashes

  • Numerous JA3 hashes from a single host

  • Unvarying and unknown JA3/JA3s hashes

References:

https://github.com/salesforce/ja3
https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967
https://engineering.salesforce.com/open-sourcing-ja3-92c9e53c3c41
https://www.vectra.ai/blogpost/is-there-still-value-in-ja3-fingerprinting