Skip to main content
Splunk Lantern

Rarest JA3s hashes and server combinations

You can run a search which uses JA3 and JA3s hashes to detect abnormal activity on critical servers which are often targeted in supply chain attacks. JA3 is an open-source methodology that allows for creating an MD5 hash of specific values found in the SSL/TLS handshake process, and JA3s is a similar methodology for calculating the JA3 hash of a server session. 

Required data

Deep packet inspection data

In this example, Zeek is used to generate JA3 and JA3s data but you can use any other tool which can generate that data. 

Procedure

This search is most effectively run in the following circumstances:

  • with an allow list that limits the number of perceived false positives.
  • against network connectivity that is not encrypted over SSL/TLS. 
  • with internal hosts or netblocks that have limited outbound connectivity as a client. 
  • in networks without SSL/TLS interceptions or inspection. 

 

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype="bro:ssl:json" ja3="*" ja3s="*" src_ip IN (192.168.70.0/24)
| eventstats count AS total
| stats values(ja3), values(dest_ip), values(src_ip), values(total) AS total count BY server name ja3s
| eval perc=round((count/total)*100,4)
| sort + perc

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype="bro:ssl:json" ja3="*" ja3s="*" src_ip IN (192.168.70.0/24)

Search Zeek data for JA3 and JA3s hashes within the critical server defined.

This part of the search uses critical server netblock, 192.168.70.0/24. It's important that you adjust this part of the search to include your own critical servers.

| eventstats count AS total Generates a count for each hash in a "total" column.
| stats values(ja3), values(dest_ip), values(src_ip), values(total) AS total count BY server name ja3s Shows results in a table with the JA3, dest_ip, src_ip and total in columns grouped by server name and JA3s.
| eval perc=round((count/total)*100,4) Shows the percentage of times the JA3 and server combination occurred, rounded to 4 decimal places.
| sort + perc Sort with the least frequently occuring combination first.

Next steps

This search returns the rarest JA3s and server combinations. In the example below, you can see two TLS sessions which look suspicious for update.lunarstiiiness.com within the top ten rarest results.

clipboard_eed0cf4f9dc9d8d6ec192dc2222e1ad25.png

However, the results of this search can be inconsistent. It is most useful as an addendum to other searches in this use case.

Using additional allow lists can also help you identify additional potentially malicious results, as shown in the example below.

clipboard_e160954127f57ce776fba617bd6fa137e.png

Finally, you might be interested in other processes associated with the Detecting software supply chain attacks use case.