Use Cases
Capabilities
Why Corelight
Use Cases
MITRE ATT&CK Coverage
Case Studies
Industries
Government
Enterprise
Higher Education
COMPLIMENTARY GUIDE
Opens in new window
Discover threats no one else can with this free guide
Products
Open NDR Platform
Investigator
Zeek
Suricata IDS
Smart PCAP
Compare to open source Zeek
Sensors
Appliance Sensors
Cloud Sensors
Software Sensor
Virtual Sensors
Fleet Manager
Collections
C2 Collection
Encrypted Traffic Collection
Core Collection
TRY CORELIGHT AT HOME:
Opens in new window
Open-source Zeek comparison. Corelight makes Zeek quick to deploy.
Integrations
Technologies
Technology Partners
Splunk
IoT Security
SOAR playbooks
Company
Company
About Corelight
Careers
We're hiring!
Events
Newsroom
News Coverage
Media Kit
Our Awards
Apex Awards
Corelight Labs
Recent Research
Insights
Mission + Team
Polaris Program
Blog
Bright Ideas Blog
Product Bulletins
Visit us at RSA virtual conference 2021. Details
Resources
Support
Open a Support Ticket
Support Overview
Training
Report a security vulnerability
Learn More
GitHub
Scripts + Resources
Videos + Webcasts
More
Zeek Community
FREE REPORT Maintain Security Visibility In The TLS 1.3 Era — Forrester Research
Partners
Use Cases
Use Cases
Capabilities
Why Corelight
Use Cases
MITRE ATT&CK Coverage
Case Studies
Industries
Government
Enterprise
Higher Education
COMPLIMENTARY GUIDE
Opens in new window
Products
Products
Open NDR Platform
Zeek
Suricata IDS
Smart PCAP
Compare to open source Zeek
Sensors
Appliance Sensors
Cloud Sensors
Software Sensor
Virtual Sensors
Fleet Manager
Collections
C2 Collection
Encrypted Traffic Collection
Core Collection
TRY CORELIGHT AT HOME:
Opens in new window
Integrations
Integrations
Technologies
Technology Partners
IoT Security
SOAR Playbooks
Company
Company
Company
About Corelight
Careers
Events
Our Awards
Apex Awards
Newsroom
News Coverage
Media Kit
Corelight Labs
Recent research
Insights
Mission + Team
Polaris program
Blog
Read the Blog
Product Bulletins
Resources
Resources
Support
Open a Support Ticket
Support Overview
Training
Report a Security Vulnerability
LEARN MORE
GitHub
Scripts + Resources
Videos + Webcasts
More
Zeek Community
Partners
Bright Ideas Blog
Subscribe to blog
X
Sign up for blog updates
Pt
Finding SUNBURST backdoor with Zeek logs & Corelight
By
John Gamble
– December 14, 2020
UPDATE 12-16-20: Corelight Resources
Read more »
Search
Recent Posts
Categories
#winning
(1)
0-day
(3)
100G
(1)
3CoreSec
(1)
5G
(1)
Aarch64
(1)
Aashish Sharma
(1)
abuse
(1)
Accel
(1)
Accept-Encoding
(1)
AFCERT
(1)
agent forwarding
(1)
Alan Saldich
(2)
Alert AA21-131A
(1)
Amazon
(2)
Amazon GuardDuty
(1)
Amazon Machine Image
(1)
Amazon Virtual Private Cloud
(3)
Amber Graner
(1)
AMI
(1)
analytics
(1)
Announcements
(24)
Anthony Kasza
(2)
AP 5000
(1)
apache
(1)
Apache Spark
(1)
API
(1)
Application Layer Infrastructure Visibility
(1)
APT
(2)
APT39
(2)
APT40
(2)
Arch
(1)
ASIM
(1)
authentication
(1)
authentication protocol
(1)
award
(1)
AWS
(8)
AWS Fargate
(1)
AWS GWLB
(1)
AWS Kinesis
(1)
AWS re:Inforce
(1)
AWS Simple Storage
(1)
AWS Well-Architected
(1)
Azure Kubernetes
(1)
Azure Sentinel
(2)
Azurescape
(1)
Backstory
(1)
Bad Neighbor
(1)
behavioral detections
(1)
Berkeley Packet Filter
(1)
BGP
(1)
Big-IP
(2)
BIRT
(1)
bitcoin mining
(1)
Blackberry
(1)
BlackHat
(2)
blue team
(1)
BPF syntax
(1)
Brave
(1)
Brian Dye
(2)
Bro
(36)
Bro Foundation
(1)
Bro scripting language
(4)
BroCon
(3)
Broker
(2)
bruteforce
(1)
Business Incident Response
(1)
Business Insider
(1)
BusinessInsider
(1)
BZAR
(1)
C2
(4)
CAF
(1)
CallStranger
(2)
Capture the Flag
(1)
ChaChi
(1)
change handler
(1)
Chris Inglis
(2)
Christian Kreibich
(2)
Chrome
(2)
Chronicle
(1)
Chronicle Backstory
(1)
CIM-compliant
(1)
CIO
(1)
ciphertext
(1)
CIRT
(3)
CISA
(5)
Cisco
(4)
Cisco Talos
(1)
CISO
(1)
cloud
(2)
Cloud Packet Mirroring
(1)
cloud security
(1)
Cloud Sensor
(1)
Cloudflare
(1)
CMDB
(1)
Cobalt Strike
(1)
Cobalt Strike C2
(1)
command and control
(6)
Commonwealth Games
(1)
Community ID
(4)
Computer Incident Response Team
(1)
config.log
(1)
configuration framework
(2)
conn.log
(10)
connection protocol
(1)
container
(1)
container monitoring
(2)
continuous diagnostic monitoring (CDM)
(1)
Core Collection
(1)
Corelight
(32)
Corelight API
(3)
Corelight Investigator
(1)
Corelight Labs
(25)
Corelight open source
(1)
Corelight Sensor
(17)
Corelight Technical Add-on
(1)
Corelight vs. Open-Source
(4)
Corelight@Home
(3)
covid-19
(2)
CPE
(1)
credential stuffing
(1)
Crowbar
(1)
Crowdstrike
(4)
CSO
(2)
CTF
(1)
Curveball
(1)
custom packages
(1)
CVE
(1)
cve-2018-13379
(1)
CVE-2019-19521
(1)
CVE-2020-0601
(2)
cve-2020-0688
(1)
CVE-2020-12695
(2)
CVE-2020-1350
(1)
CVE-2020-13777
(2)
CVE-2020-1472
(1)
CVE-2020-16898
(1)
cve-2020-17144
(1)
CVE-2020-5902
(2)
CVE-2021-1675
(1)
CVE-2021-34527
(1)
CVE-2021-42292
(1)
CVE-2021-44228
(3)
CVE-202131166
(1)
CVE-2022-22954
(1)
CVE-2022-23270
(1)
CVE-2022-24491
(1)
CVE-2022-24497
(1)
CVE-2022-26809
(1)
CVE-2022-26937
(1)
CVE10
(1)
CVEs
(1)
CVSS10
(1)
CyberDefenseMagazine
(1)
cybersecurity
(17)
Cybersecurity Excellence Award
(1)
DarkSide
(1)
data
(4)
data enrichment
(1)
data exfiltration
(1)
data lake
(3)
Data Reduction packages
(1)
data science
(1)
data visualization
(1)
Databricks
(1)
DCE/RPC
(2)
DDos
(2)
Defense Federal Acquisition
(1)
denial of service
(1)
deployment
(1)
Detection
(5)
DevSecOps
(1)
dfir
(2)
disclosure
(1)
DLL
(1)
DLP
(1)
DNS
(19)
DNS traffic visibility
(1)
dns.log
(4)
DoH
(2)
DOS
(1)
DoT
(1)
dtection.io
(1)
Duo
(1)
east-west
(3)
EC2
(2)
Echo Reply
(1)
Echo Request
(1)
ECS
(2)
EDR
(4)
Elastic
(7)
Elastic Common Schema
(1)
Elastic Kubernetes
(1)
election infrustructure
(1)
election security
(1)
Elliptic Curve Cryptography
(1)
Emotet
(1)
Employee Spot Light
(5)
encrypted traffic
(15)
encrypted traffic collection
(8)
encryption
(11)
endpoint detection and response
(2)
eSet
(1)
ESNET
(1)
ETC
(1)
evidence
(1)
evidence-based strategy
(1)
Exabeam
(1)
Excel
(1)
executive order
(1)
exfiltration
(1)
extensibility
(2)
extensible
(1)
F5
(2)
FCEB
(1)
featured
(11)
Federal
(4)
Federal Acquisition Regulation
(1)
Fedora
(1)
file analysis framework
(1)
Filed Under: Network Security Monitoring
(2)
files.log
(5)
filter language
(1)
FireEye
(1)
firefox
(2)
firewall
(1)
flame graphs
(1)
Fleet Manager
(4)
fork-and-filter
(1)
Fortinet
(1)
ftp
(2)
funding
(1)
gateway
(1)
GCP
(1)
General Electric
(1)
GitHub
(15)
GKE
(1)
glibc
(1)
GnuTLS
(2)
Godlua
(1)
goDoH
(1)
Google
(3)
Google GCP
(2)
Google Kubernetes
(3)
google-perftools
(1)
government
(1)
gperftools
(1)
Greg Bell
(3)
GUI
(1)
HASSH
(2)
HELK
(1)
high availability
(1)
high-fidelity traffic
(1)
Hildegard malware
(1)
home networks
(1)
Howard Samuels
(1)
html
(1)
HTTP
(17)
HTTP Logs
(1)
http.log
(3)
HTTP.sys
(1)
HTTPS
(10)
Humio
(6)
Humio Community Edition
(1)
IaaS
(4)
IAM
(1)
ICMP
(3)
ICMP RFC 792
(1)
ICS
(1)
identification
(1)
IDS
(7)
incident responder
(2)
Incident response
(13)
Industry
(20)
inference
(1)
information leakage
(1)
infosec
(2)
Input Framework
(2)
insider threat
(2)
integration
(1)
Intel framework
(1)
Intezer
(1)
intrusion detection
(5)
investment
(1)
IOC
(3)
IoT
(4)
IP
(1)
IP address
(1)
IPS
(2)
IPSec
(1)
IPv6
(1)
IRC
(1)
ISP
(2)
ja3
(11)
ja3s
(6)
James Schweitzer
(1)
Java
(2)
Jean Schaffer
(2)
Joe Sandbox
(1)
Johanna Amann
(2)
John Lambert
(1)
Joy Bonaguro
(1)
JSOF
(1)
JSON
(11)
json+https
(1)
Jupyter notebooks
(1)
Kafka
(4)
Kafka Streams
(2)
Kaseya
(1)
Keith Jones
(1)
keystrokes
(1)
killchain
(1)
Kokotap
(1)
Ksniff
(1)
kubernetes
(4)
LAN
(1)
Lateral Movement
(1)
LateralMovement
(1)
Lawrence Berkeley Labs
(5)
LDAP
(4)
Leadership Team
(3)
libc
(1)
Linux
(7)
load balancer
(1)
log4j
(6)
log4shell
(6)
logs
(8)
M-22-09
(1)
malware
(5)
malware detection
(1)
malware infection
(1)
MalwareJake
(1)
Mandiant
(2)
Matrix ransomware
(1)
McAfee
(1)
memory allocator
(1)
metadata
(1)
microsoft
(8)
Microsoft Azure
(3)
Microsoft Patch Tuesday
(5)
MIME types
(1)
misconfiguration
(1)
MISP
(2)
MITM
(1)
MITRE
(7)
MITRE ATT&CK
(16)
Mizu
(1)
mozilla
(1)
MS-RDPBCGR
(1)
MS-RDPEUD2
(1)
MS-RDPEUDP
(1)
MSP
(1)
MSSP
(2)
MTU
(1)
MyStatsInfo
(1)
nation state threats
(1)
National Cyber Director
(1)
National Cyber Strategy
(1)
National Science Foundation
(1)
NCC Group
(1)
NDR
(26)
ne
(1)
NetControl
(1)
NetControl framework
(1)
Netflow
(4)
Netlogon
(1)
network detection response
(29)
network evidence
(9)
network intrusion detection system
(1)
Network IOC
(1)
network monitoring
(1)
network security
(49)
Network Security Monitoring
(70)
network traffic
(2)
network traffic analysis
(37)
network visibility
(30)
networksecurity
(1)
NIC
(2)
NIDS
(2)
north-south
(1)
Notice Framework
(1)
notice.log
(1)
NSA
(1)
NSM
(18)
NTA
(6)
OIP
(1)
OMB
(2)
OPEN ruleset
(1)
open source
(21)
open source community
(17)
OpenBSD
(1)
OpenSSL
(1)
Opera
(1)
Optus
(1)
Orion
(1)
OSquery
(1)
osquery integration
(1)
package manager
(2)
packet broker
(1)
PacketTotal
(1)
Palo Alto Networks
(3)
PANW
(1)
partner
(1)
Partnership
(18)
PAS
(1)
Paul Dokas
(1)
PCAP
(16)
perftools
(1)
Phantom
(1)
phishing
(1)
Pingback
(1)
playbooks
(1)
PoC
(1)
polaris
(1)
port 443
(1)
port scanning
(2)
Powershell
(1)
PPTP
(1)
President Biden
(1)
PrintNightmare
(1)
Product
(28)
Proofpoint Emerging Threats
(1)
pselect6
(1)
PsiXbot
(1)
PT
(1)
public-key cryptography
(1)
Python
(2)
Qualys
(1)
ransomware
(2)
Rasberry Pi
(1)
Raspberry Pi
(3)
RAT
(1)
RBAC
(1)
RCE
(2)
RDP
(7)
rdp.log
(1)
RDPBCGR
(1)
RDS
(1)
REC
(1)
redefs
(1)
Redis
(1)
RedXOR
(1)
Regulation
(1)
remote access trojan
(1)
Remote Code Execution
(2)
Remote Desktop Services
(1)
remote workers
(1)
RESTful API
(1)
reverse tunnel
(1)
REvil
(1)
RFC4443
(1)
RFC8106
(1)
Richard Bejtlich
(30)
Ripple20
(2)
risk
(1)
Robin Sommer
(2)
router
(1)
RSA
(7)
RSA Conference
(4)
Russian cyberattacks
(1)
SAAS
(3)
sandboxing
(2)
Sankey diagrams
(1)
SANS
(7)
scripts
(1)
SDS
(1)
Secura
(1)
Secure Shell
(2)
security
(1)
Security Operations Center
(3)
SentinelOne
(1)
Series A
(1)
Series B
(1)
SERVFAIL
(1)
ServiceNow
(2)
Seth Hall
(3)
SFTP
(1)
SHA-1
(1)
SHA1
(1)
SharePoint
(1)
SharpRDP
(1)
SIEM
(24)
Sigma
(6)
Sigma rules
(1)
SIGRed
(1)
Smart PCAP
(1)
SMB
(4)
SMB analysis
(1)
SMB3
(1)
SMTP
(5)
sniffer sidecar
(1)
Snowden
(1)
SOAP
(1)
SOAR
(1)
SOC
(16)
SOC Prime
(2)
software
(1)
SOHO
(1)
Solarigate
(2)
SolarWinds
(5)
SPAN port
(1)
span ports
(1)
spearphising
(1)
specialized hardware
(1)
Spicy framework
(1)
Splunk
(17)
Splunk App
(1)
Splunkbase
(1)
SSH
(14)
SSH Exploit
(1)
SSL
(10)
ssl.log
(5)
SSL/TLS
(1)
strace
(1)
SUNBURST
(7)
supply chain
(1)
Surica
(1)
Suricata
(17)
Symantec
(1)
syslog
(2)
Tagged With: APT, BIRT, BlackHat, Business Inciden
(1)
Tagged With: Community ID, JSON, NDR, network dete
(1)
TAPs
(2)
Tbps
(1)
tcmalloc
(1)
TCP
(8)
Tcpdump
(1)
technology add-on
(1)
Telegram
(1)
Tenable
(1)
Terraform
(1)
threat hunter
(5)
threat hunting
(9)
threat intelligence
(1)
TLS
(20)
TLS 1.2
(2)
TLS 1.3
(5)
Tor
(1)
tracking files
(1)
traffic mirroring
(1)
traffic parsing
(1)
transport layer protocol
(1)
TReck
(1)
Trustwave
(1)
tshark
(1)
TTPs
(4)
Ubiquiti
(1)
ubuntu
(1)
UC Berkeley
(2)
UID
(1)
unauthorized access
(1)
Uncategorized
(3)
Unix
(2)
UPnP
(1)
URL
(1)
USENIX
(1)
Vectra
(1)
Verizon FIOS
(1)
Vern Paxson
(8)
Vince Stoffer
(1)
Virtual Private Cloud
(1)
virtual sensor
(1)
Vlad Grigorescu
(1)
VLAN
(1)
VM
(1)
VMware
(1)
VPC
(4)
VPN
(4)
vulnerability
(4)
webinar
(1)
weird.log
(2)
Whonix
(1)
Windows
(2)
Windows CryptoAPI
(1)
Windows NFS Portmap
(1)
Windows Server
(2)
WinRM
(1)
wiper malware
(1)
Wireshark
(5)
X509
(1)
x509.log
(4)
XDR
(1)
Yacin Nadji
(1)
YARA
(1)
YouTube video
(2)
ZDNet
(1)
Zeek
(103)
Zeek Logs
(15)
Zeek Package Monitor
(1)
zeek week
(1)
ZeekWeek
(6)
zero day exploit
(3)
zero trust
(2)
Zerologon
(1)
Zscaler
(1)
See all
Archives
June 2022
(1)
May 2022
(9)
April 2022
(5)
March 2022
(3)
February 2022
(3)
January 2022
(1)
December 2021
(4)
November 2021
(5)
October 2021
(2)
September 2021
(2)
August 2021
(2)
July 2021
(3)
June 2021
(1)
May 2021
(9)
April 2021
(3)
March 2021
(4)
December 2020
(2)
November 2020
(3)
October 2020
(3)
September 2020
(3)
August 2020
(3)
July 2020
(3)
June 2020
(7)
May 2020
(2)
April 2020
(1)
March 2020
(2)
February 2020
(3)
January 2020
(2)
December 2019
(2)
November 2019
(4)
October 2019
(2)
September 2019
(2)
August 2019
(1)
July 2019
(3)
June 2019
(4)
May 2019
(5)
April 2019
(4)
March 2019
(4)
February 2019
(2)
January 2019
(2)
December 2018
(1)
November 2018
(1)
October 2018
(2)
September 2018
(3)
August 2018
(1)
July 2018
(1)
June 2018
(1)
May 2018
(1)
April 2018
(1)
March 2018
(2)
February 2018
(1)
January 2018
(1)
December 2017
(1)
November 2017
(1)
September 2017
(3)
August 2017
(1)
July 2017
(1)
June 2017
(1)
See all
Authors
Al Smith
(1)
Alan Saldich
(2)
Alex Kirk
(7)
Allen Male
(1)
Amber Graener
(1)
Anthony Kasza
(5)
Ben Reardon
(7)
Brian Dye
(8)
Charles Strauss
(2)
Christian Kreibich
(3)
Corelight
(3)
Corelight Labs Team
(13)
Ed Smith
(5)
Gary Fisk
(1)
Gregory Bell
(4)
Howard Samuels
(1)
James Schweitzer
(1)
Jamie Brim
(1)
Jean Schaffer
(5)
Johanna Amann
(3)
John Gamble
(6)
Jon Natkins
(1)
Joy Bonaguro
(1)
Justin Azoff
(1)
Keith J. Jones
(1)
Lana Knop
(1)
Nick Hunter
(1)
Paul Dokas
(1)
Richard Bejtlich
(30)
Ricky Lin
(1)
Robin Sommer
(2)
Roger Cheeks
(4)
Ryan Victory
(1)
Sarah Banks
(2)
Seth Hall
(3)
Stan Kiefer
(2)
stevesmoot
(1)
Vern Paxson
(2)
Vijit Nair
(5)
Vince Stoffer
(8)
Yacin Nadji
(2)
See all
Subscribe to blog
X
Sign up for blog updates