An important aspect of threat hunting is the creation and the prioritisation of hunting hypotheses. You want to avoid spending your valuable time into investigations that yield little result. Prioritisation can be used in two areas: the creation of new hunting hypotheses, and assigning priorities to the hypotheses on your backlog.

During several months we worked together with a number of Dutch financial institutions to create the threat hunting methodology called TaHiTI. Which stands for Targeted Hunting integrating Threat Intelligence. You can obtain it from here: https://www.betaalvereniging.nl/en/safety/tahiti.

Within this blog post I will explain how JA3 can be used in Threat Hunting. I will discuss a relative simple hunt on a possible way to identify malicious PowerShell using JA3 and a more advanced hunt that involves the use of Darktrace and JA3.