Rule Documentation: Detection of Malicious JA3 Fingerprints in SSL Connections
Malicious Ja3fingerprint
Query
DeviceNetworkEvents
| where ActionType contains "SslConnectionInspected"
| extend parsed = parse_json(AdditionalFields)
| where parsed.ja3 in (externaldata(Ja3Hash: string) [@"https://raw.githubusercontent.com/0xAnalyst/DefenderATPQueries/main/Malja3fingerpints"])
# filter noise by removing internal IPs and internal domain certificates by parsed.subject or remvoe private IPs by where not (ipv4_is_private(RemoteIP))About this query
Rule Documentation: Detection of Malicious JA3 Fingerprints in SSL Connections
Description
This detection rule identifies SSL connections inspected by Microsoft Defender for Endpoint (MDE) that match known malicious JA3 fingerprints. JA3 fingerprints are used to identify SSL/TLS clients based on their SSL/TLS handshake. Monitoring for these fingerprints can help detect potentially malicious activity, such as command and control (C2) communications.
Detection Logic
- Monitors
DeviceNetworkEventsfor events where theActionTypecontains "SslConnectionInspected". - Parses the
AdditionalFieldscolumn as JSON to extract theja3fingerprint. - Compares the extracted
ja3fingerprint against a list of known malicious JA3 fingerprints sourced from an external dataset.
Tags
- Network Monitoring
- SSL/TLS Inspection
- JA3 Fingerprinting
- Malicious Activity
- Command and Control (C2)
- Suspicious Activity
Search Query
Explanation
This query is designed to detect potentially malicious SSL connections by identifying known malicious JA3 fingerprints. Here's a simple breakdown of what it does:
-
Purpose: The query aims to find SSL connections that might be part of malicious activities, such as command and control communications, by using JA3 fingerprints. JA3 fingerprints help identify SSL/TLS clients based on their handshake patterns.
-
Data Source: It looks at
DeviceNetworkEventsdata, specifically events where theActionTypeindicates that an SSL connection has been inspected. -
Process:
- It extracts the JA3 fingerprint from the
AdditionalFieldscolumn, which is stored in JSON format. - It then checks if this JA3 fingerprint matches any known malicious fingerprints from an external list.
- It extracts the JA3 fingerprint from the
-
Filtering: The query also includes a step to reduce false positives by filtering out noise. This involves removing events related to internal IP addresses or internal domain certificates, ensuring that only potentially malicious external connections are flagged.
-
Tags: The query is associated with network monitoring, SSL/TLS inspection, JA3 fingerprinting, and detecting suspicious or malicious activities, particularly those related to command and control communications.
Details

Ali Hussein
Released: June 25, 2024
Tables
Keywords
Operators