Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

Corelight Sensors detect the ChaChi RAT

By Corelight Labs Team – June 24, 2021

Recently Blackberry analyzed a new GoLang Remote Access Trojan (RAT) named “ChaChi.” This sample was interesting in that it tunnels information over DNS as its preferred command and control (C2) mechanism. We downloaded two PCAPs from the malware... Read more »

Corelight Sensors detect the ChaChi RAT

By Corelight Labs Team – June 23, 2021

Recently Blackberry analyzed a new GoLang Remote Access Trojan (RAT) named “ChaChi.” This sample was interesting in that it tunnels information over DNS as its preferred command and control (C2) mechanism. We downloaded two PCAPs from the malware... Read more »

Detecting CVE-2021-31166 – HTTP vulnerability

By Ben Reardon – May 26, 2021

In this blog we aim to provide a little insight into part of the lifecycle of Corelight Lab’s response to a critical HTTP vulnerability. We’ve open-sourced many such responses over the last year (see Appendix A), and this one is a good demonstration... Read more »

Introducing RDP Inferences

By Anthony Kasza – May 19, 2021

Corelight recently released a new package, focused on RDP inferences, as part of our Encrypted Traffic Collection. This package runs on Corelight Sensors and provides network traffic analysis (NTA) inferences on live RDP traffic. Read more »

Pingback: ICMP Tunneling Malware

By Corelight Labs Team – May 6, 2021

Recently, Trustwave reported on a new malware family which they discovered during a breach investigation. The backdoor, dubbed Pingback, executes on Windows systems and communicates with its controller via ICMP messages. ICMP (Internet Control... Read more »

Detect C2 ‘RedXOR’ with state-based functionality

By Ben Reardon – April 19, 2021

Recently a very interesting Linux-based command-and-control (C2) malware was described by the research team at Intezer. As usual there is a set of simple network-based IOCs in the form of domains and IPs that organizations can search against their... Read more »

Detecting SUNBURST/Solarigate activity in retrospect with Zeek

By Ben Reardon – December 21, 2020

The threat actors who created SUNBURST went to extraordinary lengths to hide Command-and-Control (C2) traffic by mimicking the nature of communication patterns used by legitimate software within the SolarWinds package. Read more »

Finding SUNBURST backdoor with Zeek logs & Corelight

By John Gamble – December 14, 2020

UPDATE 12-16-20: Corelight Resources Read more »

Community detection: CVE-2020-16898

By Ben Reardon – October 14, 2020

This month’s Microsoft Patch Tuesday included a severe Remote Code Execution vulnerability in the way that Windows TCP/IP handles IPv6 “Router Advertisement” ICMP messages. Due to the severity and wide scope, we in Corelight Labs immediately set... Read more »

Give me my stats!

By Keith J. Jones – September 20, 2020

I often develop packages for Zeek in cluster mode. In this configuration, it can be difficult to debug your package because it is a continually running environment with real, and often unpredictable, network data. If you add to that other packages... Read more »