The TLS negotiation between a client and a server has a fingerprint. The fingerprint can be used to identify the type of encrypted communication.

TLS is used to encrypt communication for privacy and security. HTTP uses TLS in HTTPS as do most command and controls frameworks.To initiate a TLS session, a client will send a TLS Client Hello packet after the TCP 3-way handshake. This packet and the way in which it is generated is dependent on the client application. The server will respond with a TLS Server Hello packet that is formulated based on server-side libraries, configurations, and the Client Hello. Because TLS negotiations are transmitted in the clear, it’s possible to fingerprint and identify client applications.

Things to look for:

• Frequently changing JA3/JA3S hashes

• Numerous JA3 hashes from a single host

• Unvarying and unknown JA3/JA3s hashes

References:

• https://github.com/salesforce/ja3

• https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967

• https://engineering.salesforce.com/open-sourcing-ja3-92c9e53c3c41

• https://www.vectra.ai/blogpost/is-there-still-value-in-ja3-fingerprinting