Corelight Labs - Tagged - Security Boulevard
Pingback: ICMP Tunneling Malware

Pingback: ICMP Tunneling Malware

By Keith Jones, Anthony Kasza and Ben Reardon, Security Researchers, Corelight Introduction Recently, Trustwave reported on a new malware family which they discovered during a breach investigation. The backdoor, dubbed Pingback, executes ...
Detect C2 ‘RedXOR’ with state-based functionality

Detect C2 ‘RedXOR’ with state-based functionality

By Ben Reardon, Corelight Security Researcher Recently a very interesting Linux-based command-and-control (C2) malware was described by the research team at Intezer. As usual there is a set of simple network-based IOCs ...
Detecting SUNBURST/Solarigate activity in retrospect with Zeek – a practical example

Detecting SUNBURST/Solarigate activity in retrospect with Zeek – a practical example

Ben Reardon – Corelight Labs Researcher The threat actors who created SUNBURST went to extraordinary lengths to hide Command-and-Control (C2) traffic by mimicking the nature of communication patterns used by legitimate software ...
Finding SUNBURST Backdoor with Zeek Logs & Corelight

Finding SUNBURST Backdoor with Zeek Logs & Corelight

John Gamble, Director of Product Marketing, Corelight FireEye’s threat research team has discovered a troubling new supply chain attack targeting SolarWind’s Orion IT monitoring and management platform. The attack trojanizes Orion software ...
Community detection: CVE-2020-16898

Community detection: CVE-2020-16898

By Ben Reardon, Corelight Security Researcher This month’s Microsoft Patch Tuesday included a severe Remote Code Execution vulnerability in the way that Windows TCP/IP handles IPv6 “Router Advertisement” ICMP messages. Due to ...
Give me my stats!

Give me my stats!

By Keith J. Jones, Corelight Sr. Security Researcher I often develop packages for Zeek in cluster mode. In this configuration, it can be difficult to debug your package because it is a ...

Detecting Zerologon (CVE-2020-1472) with Zeek

By Yacin Nadji, Corelight Security Researcher CVE-2020-1472 aka Zerologon, disclosed by Tom Tervoort of Secura, is an illustrative case study of how a small implementation mistake in cryptographic routines cascades into a ...

Zeek in it’s sweet spot: Detecting F5’s Big-IP CVE10 (CVE-2020-5902)

By Ben Reardon, Corelight Security Researcher Having a CVE 10 unauthenticated Remote Code Execution vulnerability on a central load balancing device? That’s bad… Not being able to detect when a threat actor ...

Ripple20 Zeek package open sourced

By Ben Reardon, Corelight Security Researcher Recently, security research group JSOF released 19 vulnerabilities related to the “Treck” TCP/IP stack. This stack exists on many devices as part of the supply chain ...
DNS over TLS and DNS over HTTPS

DNS over TLS and DNS over HTTPS

By Jamie Brim, Corelight Security Researcher In this post, we’ll explore DNS over TLS (DoT) and DNS over HTTPS (DoH). DoT and DoH were invented to address privacy concerns associated with cleartext ...