Dissecting JA4H for improved Sliver C2 detections
JA4H consists of four parts a, b, c, and d:
JA4H_a focuses on the high-level stuff such as HTTP method, HTTP version,
whether there is a cookie present or not, whether there is a referrer
header, and the number of headers.JAH4_b focuses
more specifically on the headers observed in the request, excluding
Cookie and Referrer. It is a truncated SHa256 value of the headers in
the order they appear.JA4H_c is a fingerprint of
the cookie fields and will be different for each website visited but
will be the same for that website or application.JA4H_d is the most elaborate as it encompasses both cookie fields and their values.This structure makes the JA4H fingerprint highly dynamic from a detection and threat hunting perspective. The fact that it becomes increasingly specific as one moves from part _a to _d, combined with the fact that important request artefacts are humanly readable in section _a, makes it flexible and easy to modify on the fly.
Below is a breakdown of the JA4H from Figure 1: