In the Pyramid of Pain, relying on IP addresses and Domain names is becoming less effective. Attackers rotate IPs automatically. To truly track an adversary's infrastructure, CTI analysts must identify the fingerprint of the server itself.
This article explores how to use TLS/SSL fingerprinting to pivot from a single indicator to an entire campaign.
What is JA3? (Client Fingerprinting)
JA3 is a method for creating a fingerprint of the SSL/TLS "Client Hello" packet.
- How it works: When a malware (client) connects to a C2 server, it sends a specific set of cipher suites and TLS versions. JA3 hashes these values into a unique string.
- Value: Even if the malware changes its IP address, the way it initiates the connection remains the same. You can hunt for this JA3 hash in your SIEM or OSINT tools like Shodan.
What is JARM? (Server Fingerprinting)
While JA3 identifies the client (malware), JARM identifies the server (C2).
- Mechanism: JARM sends 10 specially crafted TLS packets to a server and records how the server responds. It hashes these responses.
- Use Case: Identifying Cobalt Strike Team Servers. Since many attackers use default configurations, their C2 servers often share the same JARM hash across the internet.
Pivoting Strategy
- Start: You find a suspicious domain in a phishing email.
- Enrich: Use Shodan or Censys to find the JARM hash of that domain's server.
- Pivot: Search for that unique JARM hash across the entire internet.
- Result: You discover 15 other IP addresses hosting the same C2 framework, even though they haven't attacked you yet. This is proactive Operational Intelligence.
Pro Tip: Combine JA3/JARM tracking with the Diamond Model to map out the adversary's full infrastructure capabilities.