Date: 09/11/2024
Vendor: FoxIO
Technology/Topic: How to Detect (almost) Everything with JA4+ Network Fingerprinting
URL: https://foxio.io
______________________________________________
Welcome to the Technical Exchange Meeting (TEM)!
JA4+ is a suite of network fingerprinting methods that replaces JA3 TLS Fingerprinting and adds new fingerprinting methods for several other network protocols. Combined, these fingerprints provide a clear picture of what is happening in any given network session without the need to break TLS. In this presentation I will show you how to detect malware clients like Sliver, Havoc, Pikabot, their c2 servers, reverse SSH shells, session hijacking, stolen API secrets, inbound bots, scanners, hacking tools, connections from VPNs, estimating the location of the true client behind the VPN, and many more, just by looking at the network traffic with JA4+ and all without the need to break TLS.
John Althouse, together with his team, has created JA3/S, JARM, and HASSH, network fingerprinting methods used throughout the industry including in products from Microsoft, Google, and AWS. JA4+ is the latest set of fingerprints with much more powerful capabilities.
______________________________________________
To join the DISA TEM mailing list, please contact: disa.tem@mail.mil
______________________________________________
Disclaimer:
— TEMs do not serve as a marketing venue or request for proposal actions.
— TEMs shall not be interpreted as a commitment by the Government to issue a solicitation or ultimately award a contract.
— TEMs do not serve as an endorsement of any presented technologies or capabilities
— Presentations will not be considered as proposals nor will any awards be made as a result of a TEM session.
— TEMs are public open forums – no proprietary or sensitive information should be presented during TEM sessions. Only publicly-facing content is permissible in DISA TEM sessions.