In this article, we want to talk about the TLS fingerprinting technology, about which there is not enough material in the Russian-speaking segment. Let's try to fix it. The article partially translates the thematic materials of the authors of the described methods ( here and here ), and also contains a description of the practical implementation from Acribia.
We will not dive deeply into the details of how SSL / TLS works (hereinafter we will talk about TLS), but we will briefly explain the details.
Using TLS is a blessing in itself, as it encrypts data. But on the other hand, malware creators use it to hide in encrypted traffic (this article will just bias in this direction) and make it difficult to detect and neutralize them.
To initiate a TLS session, the client sends a hello packet to the server after a three-way TCP handshake. This "package" and how it is created depend on the packages and encryption methods used to create the client application. If the server accepts the TLS connection, it will respond with a hello packet, thereby continuing the encryption negotiation.
TLS , .
TLS fingerprinting, . .
TLS fingerprinting
, . « » . :
TLS;
TLS;
;
;
.
, ( ):
;
;
.
(, ).
:
— TLS-. , .
TLS . , , , , , - .
, .
TLS Fingerprinting – . , . / , , .
, Exchange , OWA, Python .
: TLS Fingerprinting TLS- TLS-. , PCAP .
, :
JA3 JA3S;
TLS – JARM.
JA3 JA3S
JA3 : TLS, , TLS, . , «,» «-» .
:
TLSVersion,Ciphers,Extensions,EllipticCurves,EllipticCurvePointFormats
:
771,49196-49162-49195-52393-49161-49200-49172-49199-52392-49171-159-57-56-107-158-52394-51-50-103-22-19-157-53-61-156-47-60-10,0-23-65281-10-11-13-28,29-23-24-25,0
ClientHello TLS, :
769,4–5–10–9–100–98–3–6–19–18–99,,,
MD5. JA3:
c8446f59cca2149cb5f56ced4b448c8d
JA3S – . JA3S : TLS, TLS. , , «,» «-» .
, :
TLSVersion,Cipher,Extensions
:
769,47,65281–0–11–35–5–16
Server Hello TLS, .
:
769,47,
MD5 32- .
JA3S:
4835b19f14997673071435cb321f5445
JA3 JA3S – TLS. JA3 , TLS, JA3S . .
JARM.
JARM
JARM , 10 TLS . TLS JARM. JARM , TLS . JARM , 62- .
JARM :
, TLS;
, , , Google, Yandex Apple;
;
.
30 TLS, 10 . «000» , . 32 SHA256 , , x509. JARM, 30 , 32 , , , , , .
, (IOC) (IOA). / .. - , TI IP, , .. « ». , , .
- JARM IOC . , JARM, JARM , IP . , .
JARM , , , , . JARM .
, . JARM Palo Alto Networks API JARM.
Palo Alto ., , , Zeek ( Bro) – open-source , .
Zeek TLS, .. . , , TLS, , .
Zeek TLS JA3\JA3S.
Zeek, , SIEM ( SIEM, Zeek’ ). , SIEM . Zeek , .
JARM , Palo Alto, . github , , . JARM.
JA3\JA3S. , , Emotet TrickBot:
JA3 = 4d7a28d6f2263ed61de88ca66eb011e3 (Emotet) JA3S = 80b3a14bccc8598a1f3bbe83e71f735f (C2 Server Response) JA3 = 6734f37431670b3ab4292b8f60f29984 (Trickbot) JA3S = 623de93db17d313345d7ea481e7443cf(C2 Server Response)
JA3, .
, , , , - – . , , .
JA3 .
, , . , , , . – .
JA3\JA3S .
.
C&C JARM.
TLS-, , JARM ( , SOAR), , C&C , , .
JA3 , .
Windows JA3 , Linux (Android/IOS), . ( / NAT). , , IT.
JA3 , .
Firefox Chrome ( NAT ). , , Fingerprint. .
JA3 , .
, C/C++. , Python Golang. , requests ( python) http ( Golang), . , , . , «» , , . JA3 , .
: JARM ( JA3S ) C&C , .
, JARM , .
, TLS Fingerprinting, , , TLS 1.3.
TLS 1.3 , — SNI (Server Name Indication). HTTPS HOST, IP HTTPS-. , fingerprint, , . , , SNI.
TLS 1.3 – Encrypted SNI (ESNI), , .
ESNI , . ESNI , , TLS fingerprinting , .
:
, SOC-;
, Threat Intelligence @AAMinin;
, .