Telegram Zeek, you’re my main notice

Notices in Zeek Zeek’s Notice Framework enables network operators to specify how potentially interesting network findings can be reported. This decoupling of detection and reporting highlights Zeek’s flexibility: a notice-worthy event in network A may … Continue reading Telegram Zeek, you’re my main notice

Corelight Sensors detect the ChaChi RAT

By Paul Dokas, Keith Jones, Anthony Kasza, Yacin Nadji, & Vern Paxson – Corelight Labs Team Recently Blackberry analyzed a new GoLang Remote Access Trojan (RAT) named “ChaChi.” This sample was interesting in that it tunnels information over DNS as … Continue reading Corelight Sensors detect the ChaChi RAT

Detecting CVE-2021-31166 – HTTP vulnerability

By Ben Reardon, Corelight Security Researcher In this blog we aim to provide a little insight into part of the lifecycle of Corelight Lab’s response to a critical HTTP vulnerability. We’ve open-sourced many such responses over the last year (see Append… Continue reading Detecting CVE-2021-31166 – HTTP vulnerability

Pingback: ICMP Tunneling Malware

By Keith Jones, Anthony Kasza and Ben Reardon, Security Researchers, Corelight Introduction Recently, Trustwave reported on a new malware family which they discovered during a breach investigation. The backdoor, dubbed Pingback, executes on Windows sys… Continue reading Pingback: ICMP Tunneling Malware

Detecting SUNBURST/Solarigate activity in retrospect with Zeek – a practical example

Ben Reardon – Corelight Labs Researcher The threat actors who created SUNBURST went to extraordinary lengths to hide Command-and-Control (C2) traffic by mimicking the nature of communication patterns used by legitimate software within the SolarWinds pa… Continue reading Detecting SUNBURST/Solarigate activity in retrospect with Zeek – a practical example

Finding SUNBURST Backdoor with Zeek Logs & Corelight

John Gamble, Director of Product Marketing, Corelight FireEye’s threat research team has discovered a troubling new supply chain attack targeting SolarWind’s Orion IT monitoring and management platform. The attack trojanizes Orion software updates to d… Continue reading Finding SUNBURST Backdoor with Zeek Logs & Corelight

Community detection: CVE-2020-16898

By Ben Reardon, Corelight Security Researcher This month’s Microsoft Patch Tuesday included a severe Remote Code Execution vulnerability in the way that Windows TCP/IP handles IPv6 “Router Advertisement” ICMP messages. Due to the severity and wide scop… Continue reading Community detection: CVE-2020-16898

Detecting Zerologon (CVE-2020-1472) with Zeek

By Yacin Nadji, Corelight Security Researcher CVE-2020-1472 aka Zerologon, disclosed by Tom Tervoort of Secura, is an illustrative case study of how a small implementation mistake in cryptographic routines cascades into a privilege escalation vulnerabi… Continue reading Detecting Zerologon (CVE-2020-1472) with Zeek

Zeek in it’s sweet spot: Detecting F5’s Big-IP CVE10 (CVE-2020-5902)

By Ben Reardon, Corelight Security Researcher Having a CVE 10 unauthenticated Remote Code Execution vulnerability on a central load balancing device? That’s bad… Not being able to detect when a threat actor attempts and/or succeeds in compr… Continue reading Zeek in it’s sweet spot: Detecting F5’s Big-IP CVE10 (CVE-2020-5902)

Ripple20 Zeek package open sourced

By Ben Reardon, Corelight Security Researcher Recently, security research group JSOF released 19 vulnerabilities related to the “Treck” TCP/IP stack. This stack exists on many devices as part of the supply chain of many well known IoT/ICS/d… Continue reading Ripple20 Zeek package open sourced