{ "id": "e840155e-e2a3-4f21-a8b2-d7bafaf9c07d", "created_at": "2026-04-06T00:19:32.442031Z", "updated_at": "2026-04-10T03:24:24.175623Z", "deleted_at": null, "sha1_hash": "95518dbb1ed65cf8340eb6668dcdfd54d0b72eae", "title": "Spoofing JARM signatures. I am the Cobalt Strike server now!", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1208113, "plain_text": "Spoofing JARM signatures. I am the Cobalt Strike server now!\r\nBy Stefan Grimminck\r\nPublished: 2020-12-25 · Archived: 2026-04-06 00:04:55 UTC\r\n3 min read\r\nDec 25, 2020\r\nTL;DR: JARM is very useful fingerprinting tool, but can be deceived by replaying server hello’s from other\r\nservices.\r\nPress enter or click to view image in full size\r\nThe JARM scanner created by\r\nis quite an effective tool for system fingerprinting. It uses the Server Hello responses from a TLS handshake to\r\ngenerate a signature. These can then be used to find similar software or services. Ideal for finding C2 or other\r\nmalicious servers that implement TLS. So, It doesn’t come as a surprise that Shodan.io uses this fingerprinting\r\nmechanism in their scanners. Read the Salesforce post for more information about the JARM library, scanner and\r\nits uses.\r\nhttps://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b\r\nPage 1 of 4\n\nThe question, then, arises: Is it possible to spoof these JARM signatures? Let’s find out! Salesforce stated in their\r\npost that scanning a Cobalt Strike server would result in the following signature\r\n07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1\r\nThat this signature isn’t Cobalt Strike specific, was revealed in the Cobalt Strike blog. Let’s still use it as a starting\r\npoint anyway.\r\nFirst I used the list of addresses published by Salesforce to find a server with a matching hash. I scanned it using\r\njarmscan and created a packet capture of the response. The ssl handshake (filter: ssl.handshake.type == 1 )\r\nfilter in Wireshark will display all TLS client hello’s sent by the scanner.\r\nPress enter or click to view image in full size\r\nWireshark capture of 10 TLS Client Hello’s\r\nAnd in turn the “Cobalt Strike“ server will return its Server Hello’s. These are used by jarmscan to generate a\r\nunique signature (filter: ssl.handshake.type == 2 ).\r\nPress enter or click to view image in full size\r\nWireshark capture of 10 TLS Server Hello’s\r\nThese Server Hello’s are the packets we want to replay. This can easily be done by setting up a TCP server\r\nlistening for the specific Client Hello’s, then replaying their corresponding Server Hello’s captured from the\r\nalleged Cobalt Strike server. A rather lazy, but effective approach.\r\nGet Stefan Grimminck’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b\r\nPage 2 of 4\n\nI scanned the server on three separate occasions and found the duplicate bytes for every request. I used these bytes\r\nto identify each specific Client Hello.\r\nLuckily Wireshark has an option to display packets as C Arrays. This made it pretty easy to get the Server Hello’s\r\nworking in my Golang spoofing application.\r\nPress enter or click to view image in full size\r\nBy replaying these responses, slowly but steadily the fingerprint can be rebuilt.\r\nif bytes.Contains(request, [] byte {\r\n 0x00, 0x8c, 0x1a, 0x1a, 0x00, 0x16, 0x00, 0x33, 0x00,\r\n 0x67, 0xc0, 0x9e, 0xc0, 0xa2, 0x00, 0x9e, 0x00, 0x39,\r\n 0x00, 0x6b, 0xc0, 0x9f, 0xc0, 0xa3, 0x00, 0x9f, 0x00,\r\n 0x45, 0x00, 0xbe, 0x00, 0x88, 0x00, 0xc4, 0x00, 0x9a,\r\n ... ...\r\n }) {\r\n fmt.Println(\"replaying: tls12Forward\")\r\n conn.Write([] byte {\r\n 0x16, 0x03, 0x03, 0x00, 0x5a, 0x02, 0x00, 0x00,\r\n 0x56, 0x03, 0x03, 0x17, 0xa6, 0xa3, 0x84, 0x80,\r\n 0x0b, 0xda, 0xbb, 0x3d, 0xe9, 0x3e, 0x92, 0x65,\r\n 0x9a, 0x68, 0x7d, 0x70, 0xda, 0x00, 0xe9, 0x7c,\r\n ... ...\r\n })\r\n }\r\nA full signature can be faked after implementing a reply for all ten different requests.\r\nhttps://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b\r\nPage 3 of 4\n\nPress enter or click to view image in full size\r\n(Mis)usage of spoofed signatures\r\nYou’re probably thinking: So what? What is the use of spoofed TLS fingerprints? They could be used by\r\nmalicious actors to hide their applications when tools like JARM scanners are deployed to identify services in a\r\nnetwork or on the internet. It can also be used for good. A honeypot replaying the fingerprint of a specific service\r\ncan be used to setup a digital smokescreen for attackers.\r\nNotes\r\njarmscan (jarm-go) is not a product of Salesforce. They’ve published JARM a Python based JARM scanner\r\nimplementation. Jarmscan (the scanner used here) is a Golang based implementation by\r\n@RumbleDiscovery\r\nSource: https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b\r\nhttps://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b" ], "report_names": [ "spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434772, "ts_updated_at": 1775791464, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/95518dbb1ed65cf8340eb6668dcdfd54d0b72eae.pdf", "text": "https://archive.orkl.eu/95518dbb1ed65cf8340eb6668dcdfd54d0b72eae.txt", "img": "https://archive.orkl.eu/95518dbb1ed65cf8340eb6668dcdfd54d0b72eae.jpg" } }