Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

Blackhat NOC: Findings from Europe & thoughts for Asia 2024

By Dustin Lee – April 5, 2024

How quickly a year passes. 2023 was Corelight’s first year participating in the Black Hat Network Operations Center (NOC). It was a tremendous opportunity and responsibility in which we collaborated with teams from Cisco, Palo Alto Networks, Arista,... Read more »

Detections and Findings using Corelight in the Black Hat Asia NOC

By Dustin Lee – August 3, 2023

As promised, we wanted to dedicate a blog to detections and findings from the network operations center (NOC) at Black Hat Asia 2023 as a follow up to our Lessons Learned blog. Some of these discoveries may not surprise the seasoned analyst or... Read more »

Key takeaways from RSA 2023: #BetterTogether and AI in security

By Ed Smith – May 8, 2023

Whether or not you made it to RSA 2023, here are two key themes we saw throughout this year’s conference. Read more »

New Sliver C2 Detection Released - Redteam detected

By Corelight Labs Team – May 4, 2023

We are excited to announce the release of a new detection package “Sliver”, which identifies and raises alerts related to the Sliver C2 framework. This new package joins our industrial-strength C2 Collection and uses a variety of techniques to... Read more »

Detecting CVE-2022-30216: Windows Server Service Tampering

By Corelight Labs Team – August 9, 2022

In July 2022, Microsoft disclosed a vulnerability in the Windows Server Service that allows an authenticated user to remotely access a local API call on a domain controller, which triggers an NTLM request. This results in a leak of credentials that... Read more »

Corelight accelerates OMB logging adoption

By Jean Schaffer – October 7, 2021

In case you missed the Office of Management and Budget (OMB) (memo M-21-31), Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents, let me provide you the information that you need to know... Read more »

Telegram Zeek, you’re my main notice

By Yacin Nadji – July 28, 2021

Notices in Zeek Zeek’s Notice Framework enables network operators to specify how potentially interesting network findings can be reported. This decoupling of detection and reporting highlights Zeek’s flexibility: a notice-worthy event in network A... Read more »

Detecting CVE-2021-31166 – HTTP vulnerability

By Ben Reardon – May 26, 2021

In this blog we aim to provide a little insight into part of the lifecycle of Corelight Lab’s response to a critical HTTP vulnerability. We’ve open-sourced many such responses over the last year (see Appendix A), and this one is a good demonstration... Read more »

What the Cyber EO means for federal agencies

By Jean Schaffer – May 24, 2021

For those of us who have spent our careers working in cybersecurity, President Biden’s recent “Executive Order on Improving the Nation’s Cybersecurity,” (EO) held no surprises. However, it is a step toward accelerating the modernization of public... Read more »

World’s first 100G Zeek sensor

By Sarah Banks – May 23, 2021

As we finished rolling out Corelight’s v21 software release, which saw the delivery of the world’s first 100G, 1U Zeek sensor, I was reminded of when I’d first read the “100G Intrusion Detection” paper written in 2015 at Berkeley Lab. The paper... Read more »