Intermediate15 min

JA4X - X.509 Certificate Fingerprinting

JA4X fingerprints X.509 certificates based on their properties such as issuer, subject ordering, extensions, and signature algorithms. This allows you to track and identify malicious infrastructure or specific certificate generators.

Prerequisites

Basic understanding of X.509 Certificates
Familiarity with TLS handshakes

What is JA4X?

JA4X looks at the structure and contents of a certificate rather than just its hash. It analyzes the order of Relative Distinguished Names (RDNs) in the Issuer and Subject fields, the extensions present, and the signature algorithms used. This is particularly useful for identifying certificates generated by specific malware or automated tools.

JA4X vs Certificate Hashes (SHA-1/SHA-256)

A certificate hash is unique to one specific certificate. A JA4X fingerprint can group many certificates that share the same characteristics, such as all certificates generated by a specific Let's Encrypt bot or a Cobalt Strike server.

Using JA4X for Threat Hunting

Malicious infrastructure often relies on automated scripts to generate self-signed certificates. These scripts tend to arrange certificate fields in a very specific order or use a distinct set of extensions. JA4X captures these structural artifacts.

Hands-On Exercise

Step 1: Capture a Server Certificate

tshark -i eth0 -f "tcp port 443" -Y "tls.handshake.type == 11" -w cert_capture.pcap -c 50

Step 2: Analyze JA4X

Using the JA4+ Wireshark plugin, locate the JA4X column for the captured certificate.

Step 3: Correlate Findings

Compare your JA4X fingerprint with the JA4DB to see if it matches known benign providers (like Google Trust Services) or suspicious generators.

Lab Complete

You can now use JA4X to fingerprint X.509 certificates and track malicious infrastructure!