Query Details
Device Network Events SSL Connection With Suspicious JA3 Fingerprint
Query
// Based on https://github.com/0xAnalyst/DefenderATPQueries/blob/main/C2/MaliciousJA3Fingerprint.kql
let ja3_list = toscalar(
externaldata(Line: string, FirstSeen:datetime)[@"https://sslbl.abuse.ch/blacklist/ja3_fingerprints.csv"] with (format="txt")
| where not(Line startswith "#")
| parse Line with JA3:string "," FirstSeen:datetime "," LastSeen:datetime "," ListingReason:string
| summarize make_list(JA3)
);
DeviceNetworkEvents
| where ActionType == "SslConnectionInspected"
| extend JA3 = tostring(AdditionalFields["ja3"])
| where JA3 in (ja3_list)
// | where not(JA3 has "e62a5f4d538cbf169c2af71bec2399b4" and AdditionalFields has_any("CN=HP", "O=HP", "CN=Canon Imaging Product"))
// | summarize DeviceNames = make_set(DeviceName), RemoteIPs = make_set(RemoteIP), take_any(*) by JA3, ActionType
Explanation
This query is looking for suspicious SSL connections on devices by comparing the JA3 fingerprint of the connection to a list of known malicious JA3 fingerprints. If a match is found, it will show details about the device and the connection.
Details
Jose Sebastián Canós
Released: June 25, 2024
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,ActionType,SslConnectionInspected,AdditionalFields,JA3,DeviceName,RemoteIP.
Operators
extendwhereinsummarizemake_listmake_sethas_anytake_any