Threat Hunting with JARM

Threat Hunting with JARM
Recently I have been testing a new tool created by the people at Salesforce. The tool is called JARM and what it does is query TLS instances (HTTPS servers and services) to create a fingerprint of their TLS configuration. Much like analyzing the nuances of network traffic can be used to fingerprint the operating system and version of a server, JARM fingerprints TLS instances to create a fingerprint which can be used to compare one TLS service to another. The JARM repository on github provides two executable files. The first jarm.py can be used to create a fingerprint for any TLS enabled service. The second jarm.sh is used to automate a JARM scan across a range of IPs. For example the fingerprint for isc.sans.edu can be generated as follows: `$ python3 jarm.py isc.sans.edu Domain: isc.sans.edu Resolved IP: 45.60.103.34 JARM: 29d29d00029d29d00041d41d0000005d86ccb1a0567e012264097a0315d7a7` JARM can be used for a number of purposes. As the Salesforce blog post says: “JARM fingerprints can be used to: Quickly verify that all servers in a group have the same TLS configuration. Group disparate servers on the internet by configuration, identifying that a server may belong to Google vs. Salesforce vs. Apple, for example. Identify default applications or infrastructure. Identify malware command and control infrastructure and other malicious servers on the Internet.” Shodan has integrated JARM and has generated JARM fingerprints for all TLS instances they have discovered and integrated them into a Shodan facet. You can query Shodan’s JARM results from the Shodan web tool, or from any Linux with Python installed you can use the Shodan command line, or use the Shodan API, to query fingerprints So how can this be used to detect malware deployments? Well it turns out that the when malware deploys a TLS enabled service the fingerprints tend to stay the same across multiple deployments. The JARM developers have given us the fingerprints for a number of common malware families. Using this information you could create a script to run across your address space and compare the computed fingerprints to the known malware fingerprints or you could just use Shodan to do this comparison. In this example below I am using the Shodan command line to query the JARM results for AS209 and comparing the result to the fingerprint for Cobalt Strike (a red team tool often dropped by emotet and other malware onto compromised servers). $ shodan search asn:as209 ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 184.99.37.107 443 HTTP/1.1 403 Forbidden\r\nContent-Length: 310\r\nContent-Type: text/html\r\nConnection: Close\r\n\r\n 71.37.172.120 443 71-37-172-120.lsv2.qwest.net HTTP/1.1 403 Forbidden\r\nContent-Length: 316\r\nContent-Type: text/html\r\nConnection: Close\r\n\r\n 71.37.172.123 443 71-37-172-123.lsv2.qwest.net HTTP/1.1 403 Forbidden\r\nContent-Length: 316\r\nContent-Type: text/html\r\nConnection: Close\r\n\r\n 97.122.203.173 443 97-122-203-173.hlrn.qwest.net HTTP/1.1 403 Forbidden\r\nContent-Length: 303\r\nContent-Type: text/html\r\nConnection: Close\r\n\r\n 174.16.120.233 443 174-16-120-233.hlrn.qwest.net HTTP/1.1 403 Forbidden\r\nContent-Length: 309\r\nContent-Type: text/html\r\nConnection: Close\r\n\r\n 65.144.105.2 443 mail.strataproducts.com HTTP/1.1 403 Forbidden\r\nContent-Length: 314\r\nContent-Type: text/html\r\nConnection: Close\r\n\r\n 65.144.105.6 443 HTTP/1.1 200 OK\r\nCache-Control: private\r\nContent-Type: text/html; charset=utf-8\r\nServer: Microsoft-IIS/7.5\r\nSet-Cookie: ASP.NET_SessionId=vpxjjrrzezdnobjeacvfff45; path=/; HttpOnly\r\nX-AspNet-Version: 2.0.50727\r\nX-Powered-By: ASP.NET\r\nDate: Sun, 22 Nov 2020 02:31:11 GMT\r\nContent-Length: 47074\r\n\r\n 65.144.7.67 443 HTTP/1.1 403 Forbidden\r\nContent-Length: 352\r\nContent-Type: text/html\r\nConnection: Close\r\n\r\n 71.222.37.196 443 71-222-37-196.lsv2.qwest.net HTTP/1.1 403 Forbidden\r\nContent-Length: 316\r\nContent-Type: text/html\r\nConnection: Close\r\n\r\n I have to believe there have to be some false positives in the results, but it gives you a place to start. For more information on JARM, please check out the Salesforce JARM blog post For downloading, JARM can be found on github. -- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)	Rick 317 Posts ISC Handler Nov 27th 2020
Thread locked Subscribe	Nov 27th 2020 1 month ago
Trying with some Emotet C2 from https://feodotracker.abuse.ch/browse/ the fingerprint was just 00..00, maybe a problem with the port-number	Anonymous
Quote	Nov 28th 2020 1 month ago
A response of all 0's from JARM means that the port did not answer the TLS Hello request which usually means it is not a TLS enabled service.	Rick 317 Posts ISC Handler
Quote	Nov 28th 2020 1 month ago

Recently I have been testing a new tool created by the people at Salesforce. The tool is called JARM and what it does is query TLS instances (HTTPS servers and services) to create a fingerprint of their TLS configuration. Much like analyzing the nuances of network traffic can be used to fingerprint the operating system and version of a server, JARM fingerprints TLS instances to create a fingerprint which can be used to compare one TLS service to another.

The JARM repository on github provides two executable files. The first jarm.py can be used to create a fingerprint for any TLS enabled service. The second jarm.sh is used to automate a JARM scan across a range of IPs. For example the fingerprint for isc.sans.edu can be generated as follows:

$ python3 jarm.py isc.sans.edu
Domain: isc.sans.edu
Resolved IP: 45.60.103.34
JARM: 29d29d00029d29d00041d41d0000005d86ccb1a0567e012264097a0315d7a7

JARM can be used for a number of purposes. As the Salesforce blog post says:

“JARM fingerprints can be used to:

Quickly verify that all servers in a group have the same TLS configuration.
Group disparate servers on the internet by configuration, identifying that a server may belong to Google vs. Salesforce vs. Apple, for example.
Identify default applications or infrastructure.
Identify malware command and control infrastructure and other malicious servers on the Internet.”

Shodan has integrated JARM and has generated JARM fingerprints for all TLS instances they have discovered and integrated them into a Shodan facet. You can query Shodan’s JARM results from the Shodan web tool, or from any Linux with Python installed you can use the Shodan command line, or use the Shodan API, to query fingerprints

So how can this be used to detect malware deployments? Well it turns out that the when malware deploys a TLS enabled service the fingerprints tend to stay the same across multiple deployments. The JARM developers have given us the fingerprints for a number of common malware families.

Using this information you could create a script to run across your address space and compare the computed fingerprints to the known malware fingerprints or you could just use Shodan to do this comparison. In this example below I am using the Shodan command line to query the JARM results for AS209 and comparing the result to the fingerprint for Cobalt Strike (a red team tool often dropped by emotet and other malware onto compromised servers).

$ shodan search asn:as209 ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1

184.99.37.107  443       HTTP/1.1 403 Forbidden\r\nContent-Length: 310\r\nContent-Type: text/html\r\nConnection: Close\r\n\r\n
71.37.172.120  443   71-37-172-120.lsv2.qwest.net  HTTP/1.1 403 Forbidden\r\nContent-Length: 316\r\nContent-Type: text/html\r\nConnection: Close\r\n\r\n
71.37.172.123  443   71-37-172-123.lsv2.qwest.net  HTTP/1.1 403 Forbidden\r\nContent-Length: 316\r\nContent-Type: text/html\r\nConnection: Close\r\n\r\n
97.122.203.173 443   97-122-203-173.hlrn.qwest.net  HTTP/1.1 403 Forbidden\r\nContent-Length: 303\r\nContent-Type: text/html\r\nConnection: Close\r\n\r\n
174.16.120.233 443   174-16-120-233.hlrn.qwest.net  HTTP/1.1 403 Forbidden\r\nContent-Length: 309\r\nContent-Type: text/html\r\nConnection: Close\r\n\r\n
65.144.105.2  443   mail.strataproducts.com HTTP/1.1 403 Forbidden\r\nContent-Length: 314\r\nContent-Type: text/html\r\nConnection: Close\r\n\r\n
65.144.105.6  443       HTTP/1.1 200 OK\r\nCache-Control: private\r\nContent-Type: text/html; charset=utf-8\r\nServer: Microsoft-IIS/7.5\r\nSet-Cookie: ASP.NET_SessionId=vpxjjrrzezdnobjeacvfff45; path=/; HttpOnly\r\nX-AspNet-Version: 2.0.50727\r\nX-Powered-By: ASP.NET\r\nDate: Sun, 22 Nov 2020 02:31:11 GMT\r\nContent-Length: 47074\r\n\r\n
65.144.7.67   443       HTTP/1.1 403 Forbidden\r\nContent-Length: 352\r\nContent-Type: text/html\r\nConnection: Close\r\n\r\n
71.222.37.196  443   71-222-37-196.lsv2.qwest.net  HTTP/1.1 403 Forbidden\r\nContent-Length: 316\r\nContent-Type: text/html\r\nConnection: Close\r\n\r\n

I have to believe there have to be some false positives in the results, but it gives you a place to start.

For more information on JARM, please check out the Salesforce JARM blog post

For downloading, JARM can be found on github.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

317 Posts
ISC Handler

Nov 27th 2020

Trying with some Emotet C2 from https://feodotracker.abuse.ch/browse/ the fingerprint was just 00..00, maybe a problem with the port-number

Anonymous

A response of all 0's from JARM means that the port did not answer the TLS Hello request which usually means it is not a TLS enabled service.

Rick

317 Posts
ISC Handler