cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.56k stars 1.71k forks source link

Extract JA3 as a network analysis indicator #2080

Open ghost opened 6 years ago

ghost commented 6 years ago

JA3 is a technique for fingerprinting and describing TLS handshakes.

It would be great if for outgoing TLS sessions this fingerprint could be calculated and stored. JA3 is widely implemented in appliances by Darktrace, available as a Bro package and the abuse.ch sandnet. This fingerprint could allow further pivoting and investigating.

jbremer commented 6 years ago

Sounds like a plan. Should figure out a good way to automatically extract / group the information though. What about matching found fingerprints as opposed to only extracting 'em?

ghost commented 6 years ago

So matching fingerprints is kind of difficult -- JA3 is more about describing the TLS handshake in a sharable way than it is matching things 1 to 1. This gives you the ability to pivot or relate samples but it describes the TLS framework that was used to establish the connection more than it does the software that ran if that makes sense. There is an example of extracted fingerprints and you can see that one JA3 can map to many processes.

I think it would be optimal to drop it in to the network tab -- perhaps under the HTTPS tab, if you click an outbound GET request where it shows the outbound request, you could display the JA3 there.

Does that make sense?