Hot Topics

Corelight Labs

Telegram Zeek, you’re my main notice

Telegram Zeek, you’re my main notice

| | Corelight Labs, Corelight@Home, NetControl, network detection response, Network Security, network security monitoring, network traffic analysis, network visibility, Notice Framework, TCP, Telegram, Zeek
Notices in Zeek Zeek’s Notice Framework enables network operators to specify how potentially interesting network findings can be reported. This decoupling of detection and reporting highlights Zeek’s flexibility: a notice-worthy event in ...
Bright Ideas Blog
PrintNightmare, SMB3 encryption, and your network

PrintNightmare, SMB3 encryption, and your network

| | Corelight Labs, CVE-2021-1675, CVE-2021-34527, DCE/RPC, dll, encryption, NDR, network detection response, Network Security, PrintNightmare, SMB3, Zeek
By Yacin Nadji and Ben Reardon, Corelight Security Researchers CVE-2021-1675, also tracked in CVE-2021-34527, is a remote code execution vulnerability that targets the Windows Print Spooler service. In a nutshell, there is ...
Bright Ideas Blog
Corelight Sensors detect the ChaChi RAT

Corelight Sensors detect the ChaChi RAT

| | blackberry, C2, ChaChi, Command And Control, Corelight Labs, dns, pcap, rat, remote-access Trojan, SERVFAIL, Vern Paxson, Wireshark
By Paul Dokas, Keith Jones, Anthony Kasza, Yacin Nadji, & Vern Paxson – Corelight Labs Team Recently Blackberry analyzed a new GoLang Remote Access Trojan (RAT) named “ChaChi.” This sample was interesting ...
Bright Ideas Blog
Finding SolarWinds / SUNBURST backdoors with Zeek, Suricata, & Corelight

Detecting CVE-2021-31166 – HTTP vulnerability

| | Accept-Encoding, Corelight Labs, CVE-202131166, GitHub, http, http.log, HTTP.sys, Network Security, network security monitoring, network traffic analysis, network visibility, SOAP, SolarWinds, SUNBURST, WinRM, Zeek
By Ben Reardon, Corelight Security Researcher In this blog we aim to provide a little insight into part of the lifecycle of Corelight Lab’s response to a critical HTTP vulnerability. We’ve open-sourced ...
Bright Ideas Blog
Introducing RDP Inferences

Introducing RDP Inferences

| | Alert AA21-131A, Announcements, APT39, APT40, Corelight Labs, Crowbar, DarkSide ransomware, Duo, Emotet, encrypted traffic, encrypted traffic collection, JA3, Matrix ransomware, network detection response, Network Security, network security monitoring, network traffic analysis, network visibility, Palo Alto Networks, RDP, RDPBCGR, Richard Bejtlich, rsa, RSAConference, Vern Paxson, Zeek, Zscaler
By Anthony Kasza, Technical Director, Corelight Corelight recently released a new package, focused on RDP inferences, as part of our Encrypted Traffic Collection. This package runs on Corelight Sensors and provides network ...
Bright Ideas Blog
Pingback: ICMP Tunneling Malware

Pingback: ICMP Tunneling Malware

| | Corelight Labs, Detection, Echo Reply, Echo Request, ICMP, ICMP RFC 792, IP, Malware, network detection response, network security monitoring, network traffic analysis, pingback, Suricata, Trustwave, Zeek
By Keith Jones, Anthony Kasza and Ben Reardon, Security Researchers, Corelight Introduction Recently, Trustwave reported on a new malware family which they discovered during a breach investigation. The backdoor, dubbed Pingback, executes ...
Bright Ideas Blog
Detect C2 ‘RedXOR’ with state-based functionality

Detect C2 ‘RedXOR’ with state-based functionality

| | C2, Corelight Labs, http, Intezer, Linux, RedXOR, Zeek
By Ben Reardon, Corelight Security Researcher Recently a very interesting Linux-based command-and-control (C2) malware was described by the research team at Intezer. As usual there is a set of simple network-based IOCs ...
Bright Ideas Blog
Detecting SUNBURST/Solarigate activity in retrospect with Zeek – a practical example

Detecting SUNBURST/Solarigate activity in retrospect with Zeek – a practical example

| | Corelight Labs, DFIR, encrypted traffic, Industry, Solarigate, SolarWinds, SUNBURST, TLS, Zeek, zeek logs
Ben Reardon – Corelight Labs Researcher The threat actors who created SUNBURST went to extraordinary lengths to hide Command-and-Control (C2) traffic by mimicking the nature of communication patterns used by legitimate software ...
Bright Ideas Blog
Finding SUNBURST Backdoor with Zeek Logs & Corelight

Finding SUNBURST Backdoor with Zeek Logs & Corelight

| | C2, Corelight Labs, dns, fireeye, http, Industry, Mandiant, Network IOC, OIP, Orion, PT, SIEM, Sigma rules, Solarigate, SolarWinds, Splunk, SUNBURST, x509, Zeek
John Gamble, Director of Product Marketing, Corelight FireEye’s threat research team has discovered a troubling new supply chain attack targeting SolarWind’s Orion IT monitoring and management platform. The attack trojanizes Orion software ...
Bright Ideas Blog
Community detection: CVE-2020-16898

Community detection: CVE-2020-16898

| | Bad Neighbor, Corelight Labs, CVE-2020-16898, DoS, ESNET, GitHub, ICMP, IPv6, mcafee, Microsoft, pcap, PoC, REC, Remote Code Execution, RFC4443, RFC8106, TCP, Windows, Zeek, ZeekWeek
By Ben Reardon, Corelight Security Researcher This month’s Microsoft Patch Tuesday included a severe Remote Code Execution vulnerability in the way that Windows TCP/IP handles IPv6 “Router Advertisement” ICMP messages. Due to ...
Bright Ideas Blog
Load more