Query Details

Rule Documentation: Detection of Malicious JA3 Fingerprints in SSL Connections

Malicious Ja3fingerprint

Query

DeviceNetworkEvents
| where ActionType contains "SslConnectionInspected" 
| extend parsed = parse_json(AdditionalFields)
| where parsed.ja3 in (externaldata(Ja3Hash: string) [@"https://raw.githubusercontent.com/0xAnalyst/DefenderATPQueries/main/Malja3fingerpints"])


# filter noise by removing internal IPs and internal domain certificates by parsed.subject or remvoe private IPs by where not (ipv4_is_private(RemoteIP))

About this query

Rule Documentation: Detection of Malicious JA3 Fingerprints in SSL Connections

Description

This detection rule identifies SSL connections inspected by Microsoft Defender for Endpoint (MDE) that match known malicious JA3 fingerprints. JA3 fingerprints are used to identify SSL/TLS clients based on their SSL/TLS handshake. Monitoring for these fingerprints can help detect potentially malicious activity, such as command and control (C2) communications.

Detection Logic

  • Monitors DeviceNetworkEvents for events where the ActionType contains "SslConnectionInspected".
  • Parses the AdditionalFields column as JSON to extract the ja3 fingerprint.
  • Compares the extracted ja3 fingerprint against a list of known malicious JA3 fingerprints sourced from an external dataset.

Tags

  • Network Monitoring
  • SSL/TLS Inspection
  • JA3 Fingerprinting
  • Malicious Activity
  • Command and Control (C2)
  • Suspicious Activity

Search Query

Explanation

This query is designed to detect potentially malicious SSL connections by identifying known malicious JA3 fingerprints. Here's a simple breakdown of what it does:

  1. Purpose: The query aims to find SSL connections that might be part of malicious activities, such as command and control communications, by using JA3 fingerprints. JA3 fingerprints help identify SSL/TLS clients based on their handshake patterns.

  2. Data Source: It looks at DeviceNetworkEvents data, specifically events where the ActionType indicates that an SSL connection has been inspected.

  3. Process:

    • It extracts the JA3 fingerprint from the AdditionalFields column, which is stored in JSON format.
    • It then checks if this JA3 fingerprint matches any known malicious fingerprints from an external list.
  4. Filtering: The query also includes a step to reduce false positives by filtering out noise. This involves removing events related to internal IP addresses or internal domain certificates, ensuring that only potentially malicious external connections are flagged.

  5. Tags: The query is associated with network monitoring, SSL/TLS inspection, JA3 fingerprinting, and detecting suspicious or malicious activities, particularly those related to command and control communications.

Details

Ali Hussein profile picture

Ali Hussein

Released: June 25, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents

Operators

whereextendparse_jsoninexternaldataipv4_is_privatenot

Actions

GitHub