Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

Detecting The Agent Tesla Malware Family

By Keith J. Jones – July 2, 2024

Welcome to the latest from Corelight Labs! This blog continues our tradition of picking a popular malware family from Any.Run and writing a detector for it! Trending consistently at #1 on Any.Run’s malware trends list, Agent Tesla uses multiple... Read more »

Detecting the STRRAT Malware Family

By Corelight Labs Team – May 17, 2024

Introduction In this edition of Corelight’s Hunt of the Month blog, we bring you a STRRAT malware detector. In recent months STRRAT has become one of the top malware families submitted to Any.Run’s malware sandbox: Read more »

Hunt of the Month: Detecting AsyncRAT Malware Over HTTPS

By Corelight Labs Team – March 20, 2024

All code discussed in this blog can be pulled from https://github.com/corelight/zeek-asyncrat-detector Read more »

Black Hat NOC USA 2023: A tale of sharp needles in a stack of dull needles

By Ben Reardon – September 15, 2023

During Black Hat 2023 in Las Vegas, our Corelight team worked effectively and speedily with our first-rate Black Hat NOC partners Arista, Cisco, Lumen, NetWitness and Palo Alto Networks. I was fortunate enough to be a member of the NOC team at the... Read more »

Detecting Gozi Banking Malware

By Keith J. Jones – September 7, 2023

As a principal security researcher on Corelight’s Labs team, I help to solve difficult network security research problems at scale. Corelight’s customers might recognize some of my work if you see the packages “VPN Insights” or “App ID” on your... Read more »

Acting on CISA’s advice for detecting Russian cyberattacks

By Alex Kirk – February 28, 2022

Given that active cyber warfare has broken out alongside Russia’s active invasion of Ukraine - from Russian wiper malware to Anonymous hacking Russian state TV - CISA’s recent “Shields Up” memo is a timely insight into some of the TTPs defenders of... Read more »

Introducing the C2 Collection and RDP inferences

By Vince Stoffer – May 17, 2021

We’re excited to announce that the Command and Control (C2) Collection is now available with today’s launch of version 21 of the Corelight software. One of the most important ways that defenders can quickly identify and contain a security incident... Read more »

Pingback: ICMP Tunneling Malware

By Corelight Labs Team – May 6, 2021

Recently, Trustwave reported on a new malware family which they discovered during a breach investigation. The backdoor, dubbed Pingback, executes on Windows systems and communicates with its controller via ICMP messages. ICMP (Internet Control... Read more »

DNS over TLS and DNS over HTTPS

By Jamie Brim – June 17, 2020

In this post, we’ll explore DNS over TLS (DoT) and DNS over HTTPS (DoH). Read more »

What’s the riskiest part of your Bro deployment? It may be you.

By Seth Hall – August 15, 2017

Don’t overlook the obvious: the answer may be you Let me explain, because I’ve watched the following story unfold many times. A curious person gets super excited about Bro, deploys it widely in their organization, and makes a big impact on the local... Read more »