In this presentation I will explain how JA4+ network fingerprinting works and show you how to use it to detect malware clients, their c2 servers, reverse SSH shells, connections from proxies and VPNs, estimating the location of the true client behind the proxy or VPN, and a lot more, all just by passively looking at the network traffic with JA4+ and without the need to break encryption.

JA4+ is free and available across a wide range of open source and vendor tools you already use including Wireshark, Zeek, Arkime, Suricata, Censys, Vectra, etc.