Ben Reardon

Detecting ​​CVE-2021-38647 - OMIGOD

Researchers at recently found a series of vulnerabilities in Windows Open Management Infrastructure (OMI) software, which is widely installed on cloud-based Azure Linux Agents. We have open-sourced a Zeek package for the most severe of these... Read more »

Detecting CVE-2021-31166 – HTTP vulnerability

In this blog we aim to provide a little insight into part of the lifecycle of Corelight Lab’s response to a critical HTTP vulnerability. We’ve open-sourced many such responses over the last year (see Appendix A), and this one is a good demonstration... Read more »

Detect C2 ‘RedXOR’ with state-based functionality

Recently a very interesting Linux-based command-and-control (C2) malware was described by the research team at Intezer. As usual there is a set of simple network-based IOCs in the form of domains and IPs that organizations can search against their... Read more »

Detecting SUNBURST/Solarigate activity in retrospect with Zeek

The threat actors who created SUNBURST went to extraordinary lengths to hide Command-and-Control (C2) traffic by mimicking the nature of communication patterns used by legitimate software within the SolarWinds package. Read more »

Community detection: CVE-2020-16898

This month’s Microsoft Patch Tuesday included a severe Remote Code Execution vulnerability in the way that Windows TCP/IP handles IPv6 “Router Advertisement” ICMP messages. Due to the severity and wide scope, we in Corelight Labs immediately set... Read more »

Zeek in its sweet spot: Detecting F5’s Big-IP CVE10 (CVE-2020-5902)

Having a CVE 10 unauthenticated Remote Code Execution vulnerability on a central load balancing device? That’s bad… Read more »

Ripple20 Zeek package open sourced

Recently, security research group JSOF released 19 vulnerabilities related to the “Treck” TCP/IP stack. This stack exists on many devices as part of the supply chain of many well known IoT/ICS/device vendors. Think 100s of millions/billions of... Read more »


    Recent Posts