START HERE
WHY CORELIGHT
SANS Protects: The Network
Threat hunting guide
OVERVIEW
PRODUCTS
SERVICES
ALLIANCES
USE CASES
Corelight now powers CrowdStrike solutions and services
Alerts, meet evidence.
5 Ways Corelight Data Helps Investigators Win
Thinking like a Threat Actor: Hunting the Ghost in the Machine
Don't trust. Verify with evidence
NDR for Dummies
The Power of Open-Source Tools for Network Detection and Response
The Evolving Role of NDR
Detecting 5 Current APTs without heavy lifting
Corelight Bright Ideas Blog
Subscribe to blog
X
Sign up for blog updates
Windows Cryptoapi
Day 1 detection: CVE-2020-0601, a community, and 40 lines of code
By Richard Bejtlich – January 16, 2020
Search
Recent Posts
Categories
- #winning (1)
- 0-day (3)
- 100G (1)
- 3CoreSec (1)
- 5G (1)
- Aarch64 (1)
- Aashish Sharma (1)
- abuse (1)
- Accel (1)
- Accept-Encoding (1)
- AFCERT (1)
- agent forwarding (1)
- Alan Saldich (2)
- Alert AA21-131A (1)
- Amazon (2)
- Amazon GuardDuty (1)
- Amazon Machine Image (1)
- Amazon Virtual Private Cloud (3)
- Amber Graner (1)
- AMI (1)
- analytics (1)
- Announcements (24)
- Anthony Kasza (3)
- AP 5000 (1)
- apache (1)
- Apache Spark (1)
- API (1)
- Application Layer Infrastructure Visibility (1)
- APT (2)
- APT39 (2)
- APT40 (2)
- Arch (1)
- ASIM (1)
- authentication (1)
- authentication protocol (1)
- award (1)
- AWS (8)
- AWS Fargate (1)
- AWS GWLB (1)
- AWS Kinesis (1)
- AWS re:Inforce (1)
- AWS Simple Storage (1)
- AWS Well-Architected (1)
- Azure Kubernetes (1)
- Azure Sentinel (3)
- Azurescape (1)
- Backstory (1)
- Bad Neighbor (1)
- behavioral detections (1)
- Berkeley Packet Filter (1)
- BGP (1)
- Big-IP (2)
- BIRT (1)
- bitcoin mining (1)
- Blackberry (2)
- BlackHat (3)
- blue team (1)
- Boa web server (1)
- BPF syntax (1)
- Brave (1)
- Brian Dye (2)
- Bro (36)
- Bro Foundation (1)
- Bro scripting language (4)
- BroCon (3)
- Broker (2)
- bruteforce (1)
- Business Incident Response (1)
- Business Insider (1)
- BusinessInsider (1)
- BZAR (1)
- C2 (7)
- CAF (1)
- CallStranger (2)
- Capture the Flag (1)
- ChaChi (2)
- change handler (1)
- Chris Inglis (2)
- Christian Kreibich (2)
- Chrome (2)
- Chronicle (1)
- Chronicle Backstory (1)
- CIM-compliant (1)
- CIO (1)
- ciphertext (1)
- CIRT (3)
- CISA (5)
- Cisco (4)
- Cisco Talos (1)
- CISO (1)
- cloud (2)
- Cloud Packet Mirroring (1)
- cloud security (2)
- Cloud Sensor (1)
- Cloudflare (1)
- CMDB (1)
- Cobalt Strike (1)
- Cobalt Strike C2 (1)
- command and control (9)
- Commonwealth Games (1)
- Community ID (4)
- Computer Incident Response Team (1)
- config.log (1)
- configuration framework (2)
- conn.log (10)
- connection protocol (1)
- container (1)
- container monitoring (2)
- continuous diagnostic monitoring (CDM) (1)
- Core Collection (1)
- Corelight (32)
- Corelight API (3)
- Corelight Investigator (3)
- Corelight Labs (31)
- Corelight open source (1)
- Corelight Sensor (17)
- Corelight Technical Add-on (1)
- Corelight vs. Open-Source (4)
- Corelight@Home (3)
- covid-19 (2)
- CPE (1)
- credential stuffing (1)
- Crowbar (1)
- Crowdstrike (4)
- CSO (2)
- CTF (1)
- Curveball (1)
- custom packages (1)
- CVE (1)
- cve-2018-13379 (1)
- CVE-2019-19521 (1)
- CVE-2020-0601 (2)
- cve-2020-0688 (1)
- CVE-2020-12695 (2)
- CVE-2020-1350 (1)
- CVE-2020-13777 (2)
- CVE-2020-1472 (1)
- CVE-2020-16898 (1)
- cve-2020-17144 (1)
- CVE-2020-5902 (2)
- CVE-2021-1675 (1)
- CVE-2021-34527 (1)
- CVE-2021-42292 (1)
- CVE-2021-44228 (3)
- CVE-202131166 (1)
- CVE-2022-22954 (1)
- CVE-2022-23270 (1)
- CVE-2022-24491 (1)
- CVE-2022-24497 (1)
- CVE-2022-26809 (1)
- CVE-2022-26937 (1)
- CVE10 (1)
- CVEs (1)
- CVSS10 (1)
- CyberDefenseMagazine (1)
- cybersecurity (18)
- Cybersecurity Excellence Award (1)
- DarkSide (1)
- data (4)
- data enrichment (1)
- data exfiltration (1)
- data lake (4)
- Data Reduction packages (1)
- data science (1)
- data visualization (1)
- Databricks (1)
- DCE/RPC (2)
- DDos (2)
- Defense Federal Acquisition (1)
- denial of service (1)
- deployment (1)
- Detection (5)
- DevSecOps (1)
- dfir (2)
- disclosure (1)
- DLL (1)
- DLP (1)
- DNS (20)
- DNS traffic visibility (1)
- dns.log (4)
- DoH (2)
- DOS (1)
- DoT (1)
- dtection.io (1)
- Duo (1)
- east-west (3)
- EC2 (2)
- Echo Reply (1)
- Echo Request (1)
- ECS (2)
- EDR (4)
- Elastic (8)
- Elastic Common Schema (1)
- Elastic Kubernetes (1)
- election infrustructure (1)
- election security (1)
- Elliptic Curve Cryptography (1)
- Emotet (1)
- Employee Spot Light (5)
- encrypted traffic (15)
- encrypted traffic collection (11)
- encryption (11)
- endpoint detection and response (2)
- entity collection (1)
- eSet (1)
- ESNET (1)
- ETC (1)
- evidence (1)
- evidence-based security strategy series (5)
- evidence-based strategy (5)
- Exabeam (1)
- Excel (1)
- executive order (1)
- exfiltration (1)
- extensibility (2)
- extensible (1)
- F5 (2)
- FCEB (1)
- featured (10)
- Federal (5)
- Federal Acquisition Regulation (1)
- Fedora (1)
- file analysis framework (1)
- Filed Under: Announcements, Product, Zeek (1)
- Filed Under: Network Security Monitoring (2)
- files.log (5)
- filter language (1)
- FireEye (1)
- firefox (2)
- firewall (1)
- flame graphs (1)
- Fleet Manager (4)
- forensics (1)
- fork-and-filter (1)
- Fortinet (1)
- ftp (2)
- funding (1)
- gateway (1)
- GCP (1)
- GDPR (1)
- General Electric (1)
- GitHub (16)
- GKE (1)
- glibc (1)
- GnuTLS (2)
- Godlua (1)
- goDoH (1)
- Google (3)
- Google GCP (2)
- Google Kubernetes (3)
- google-perftools (1)
- government (1)
- gperftools (1)
- Greg Bell (3)
- GUI (1)
- HASSH (2)
- HELK (1)
- high availability (1)
- high-fidelity traffic (1)
- Hildegard malware (1)
- home networks (1)
- Howard Samuels (1)
- html (1)
- HTTP (17)
- HTTP Logs (1)
- http.log (3)
- HTTP.sys (1)
- HTTPS (10)
- Humio (7)
- Humio Community Edition (1)
- IaaS (4)
- IAM (1)
- ICMP (3)
- ICMP RFC 792 (1)
- ICS (1)
- identification (1)
- IDS (8)
- incident responder (2)
- Incident response (14)
- Industry (20)
- inference (1)
- information leakage (1)
- infosec (2)
- Input Framework (2)
- insider threat (2)
- integration (1)
- Intel framework (1)
- Intezer (1)
- intrusion detection (5)
- investment (1)
- IOC (3)
- IoT (4)
- IP (1)
- IP address (1)
- IPS (2)
- IPSec (1)
- IPv6 (1)
- IRC (1)
- ISP (2)
- ja3 (11)
- ja3s (6)
- James Schweitzer (1)
- Java (2)
- Jean Schaffer (2)
- Joe Sandbox (1)
- Johanna Amann (2)
- John Lambert (1)
- Joy Bonaguro (1)
- JSOF (1)
- JSON (11)
- json+https (1)
- Jupyter notebooks (1)
- Kafka (4)
- Kafka Streams (2)
- Kaseya (1)
- Keith Jones (2)
- keystrokes (1)
- killchain (1)
- Kokotap (1)
- Ksniff (1)
- kubernetes (4)
- LAN (1)
- Lateral Movement (1)
- LateralMovement (1)
- Lawrence Berkeley Labs (5)
- LDAP (4)
- LDAP log analyzer (1)
- Leadership Team (3)
- libc (1)
- Linux (7)
- load balancer (1)
- log4j (6)
- log4shell (6)
- logs (8)
- M-22-09 (1)
- machine learning (1)
- malware (5)
- malware detection (1)
- malware infection (1)
- MalwareJake (1)
- Mandiant (2)
- Matrix ransomware (1)
- McAfee (1)
- memory allocator (1)
- metadata (1)
- microsoft (10)
- Microsoft Azure (3)
- Microsoft Patch Tuesday (5)
- MIME types (1)
- misconfiguration (1)
- MISP (2)
- MITM (1)
- MITRE (8)
- MITRE ATT&CK (16)
- Mizu (1)
- mozilla (1)
- MS-RDPBCGR (1)
- MS-RDPEUD2 (1)
- MS-RDPEUDP (1)
- MSP (1)
- MSSP (2)
- MTU (1)
- MyStatsInfo (1)
- nation state threats (1)
- National Cyber Director (1)
- National Cyber Strategy (1)
- National Science Foundation (1)
- NCC Group (1)
- NDR (30)
- ne (1)
- NetControl (1)
- NetControl framework (1)
- Netflow (4)
- Netlogon (1)
- network data (1)
- network detection response (34)
- network evidence (13)
- network intrusion detection system (1)
- Network IOC (1)
- network monitoring (2)
- network security (58)
- Network Security Monitoring (72)
- network traffic (3)
- network traffic analysis (40)
- network visibility (35)
- networksecurity (2)
- NIC (2)
- NIDS (2)
- north-south (1)
- Notice Framework (1)
- notice.log (1)
- NSA (1)
- NSM (18)
- NTA (7)
- OIP (1)
- OMB (3)
- OPEN ruleset (1)
- open source (23)
- open source community (19)
- OpenBSD (1)
- OpenSSL (1)
- Opera (1)
- Optus (1)
- Orion (1)
- OSquery (1)
- osquery integration (1)
- package manager (2)
- packet broker (1)
- PacketTotal (1)
- Palo Alto Networks (3)
- PANW (1)
- partner (1)
- Partnership (18)
- PAS (1)
- Paul Dokas (2)
- PCAP (18)
- perftools (1)
- Phantom (1)
- phishing (1)
- Pingback (1)
- playbooks (1)
- PoC (1)
- polaris (1)
- port 443 (1)
- port scanning (2)
- Powershell (1)
- PPTP (1)
- President Biden (1)
- PrintNightmare (1)
- Product (28)
- Proofpoint Emerging Threats (1)
- pselect6 (1)
- PsiXbot (1)
- PT (1)
- public-key cryptography (1)
- Python (2)
- Qualys (1)
- ransomware (2)
- Rasberry Pi (1)
- Raspberry Pi (3)
- RAT (2)
- RBAC (1)
- RCE (2)
- RDP (7)
- rdp.log (1)
- RDPBCGR (1)
- RDS (1)
- REC (1)
- redefs (1)
- Redis (1)
- RedXOR (1)
- Regulation (1)
- remote access trojan (2)
- Remote Code Execution (2)
- Remote Desktop Services (1)
- remote workers (1)
- RESTful API (1)
- reverse tunnel (1)
- REvil (1)
- RFC4443 (1)
- RFC8106 (1)
- Richard Bejtlich (30)
- Ripple20 (2)
- risk (1)
- Robin Sommer (2)
- router (1)
- RSA (7)
- RSA Conference (4)
- Russian cyberattacks (1)
- SAAS (3)
- sandboxing (2)
- Sankey diagrams (1)
- SANS (7)
- scripts (1)
- SDS (1)
- Secura (1)
- Secure Shell (2)
- security (1)
- Security Operations Center (3)
- SentinelOne (1)
- Series A (1)
- Series B (1)
- SERVFAIL (2)
- ServiceNow (2)
- Seth Hall (3)
- SFTP (1)
- SHA-1 (1)
- SHA1 (1)
- SharePoint (1)
- SharpRDP (1)
- SIEM (26)
- Sigma (6)
- Sigma rules (1)
- SIGRed (1)
- Sliver (2)
- Smart PCAP (2)
- SMB (4)
- SMB analysis (1)
- SMB3 (1)
- SMTP (5)
- sniffer sidecar (1)
- Snowden (1)
- SOAP (1)
- SOAR (1)
- SOC (17)
- SOC Prime (2)
- software (1)
- SOHO (1)
- Solarigate (2)
- SolarWinds (5)
- Sounil Yu (1)
- SPAN port (1)
- span ports (1)
- spearphising (1)
- specialized hardware (1)
- Spicy framework (1)
- Splunk (18)
- Splunk App (1)
- Splunkbase (1)
- SSH (14)
- SSH Exploit (1)
- SSL (10)
- ssl.log (5)
- SSL/TLS (1)
- strace (1)
- SUNBURST (7)
- supply chain (1)
- Surica (1)
- Suricata (20)
- Symantec (1)
- syslog (2)
- TAG Cyber (1)
- Tagged With: APT, BIRT, BlackHat, Business Inciden (1)
- Tagged With: Community ID, JSON, NDR, network dete (1)
- TAPs (2)
- Tbps (1)
- tcmalloc (1)
- TCP (8)
- Tcpdump (1)
- technology add-on (1)
- Telegram (1)
- Tenable (1)
- Terraform (1)
- thought leadership (5)
- threat hunter (5)
- threat hunting (11)
- threat intelligence (1)
- TLS (20)
- TLS 1.2 (2)
- TLS 1.3 (5)
- Tor (1)
- tracking files (1)
- traffic mirroring (1)
- traffic parsing (1)
- transport layer protocol (1)
- TReck (1)
- Trustwave (1)
- tshark (1)
- TTPs (4)
- Ubiquiti (1)
- ubuntu (1)
- UC Berkeley (2)
- UID (1)
- unauthorized access (1)
- Uncategorized (3)
- Unix (2)
- UPnP (1)
- URL (1)
- USENIX (1)
- Vectra (1)
- Verizon FIOS (1)
- Vern Paxson (9)
- Vince Stoffer (1)
- Virtual Private Cloud (1)
- virtual sensor (1)
- Vlad Grigorescu (1)
- VLAN (1)
- VM (1)
- VMware (1)
- VPC (4)
- VPN (4)
- vulnerability (4)
- webinar (1)
- weird.log (2)
- Whonix (1)
- Windows (2)
- Windows CryptoAPI (1)
- Windows NFS Portmap (1)
- Windows Server (2)
- WinRM (1)
- wiper malware (1)
- Wireshark (7)
- X509 (1)
- x509.log (4)
- XDR (1)
- Yacin Nadji (2)
- YARA (1)
- YouTube video (2)
- ZDNet (1)
- Zeek (109)
- Zeek Logs (15)
- Zeek Package Monitor (1)
- zeek week (1)
- ZeekWeek (7)
- zero day exploit (3)
- zero trust (3)
- Zerologon (1)
- Zscaler (1)
Archives
- May 2023 (3)
- April 2023 (1)
- March 2023 (1)
- January 2023 (2)
- December 2022 (3)
- November 2022 (2)
- October 2022 (3)
- September 2022 (1)
- August 2022 (1)
- July 2022 (1)
- June 2022 (2)
- May 2022 (9)
- April 2022 (5)
- March 2022 (3)
- February 2022 (3)
- January 2022 (1)
- December 2021 (4)
- November 2021 (5)
- October 2021 (2)
- September 2021 (2)
- August 2021 (2)
- July 2021 (3)
- June 2021 (2)
- May 2021 (9)
- April 2021 (3)
- March 2021 (4)
- December 2020 (2)
- November 2020 (3)
- October 2020 (3)
- September 2020 (3)
- August 2020 (3)
- July 2020 (3)
- June 2020 (7)
- May 2020 (2)
- April 2020 (1)
- March 2020 (2)
- February 2020 (3)
- January 2020 (2)
- December 2019 (2)
- November 2019 (4)
- October 2019 (2)
- September 2019 (2)
- August 2019 (1)
- July 2019 (3)
- June 2019 (4)
- May 2019 (5)
- April 2019 (4)
- March 2019 (4)
- February 2019 (2)
- January 2019 (2)
- December 2018 (1)
- November 2018 (1)
- October 2018 (2)
- September 2018 (3)
- August 2018 (1)
- July 2018 (1)
- June 2018 (1)
- May 2018 (1)
- April 2018 (1)
- March 2018 (2)
- February 2018 (1)
- January 2018 (1)
- December 2017 (1)
- November 2017 (1)
- September 2017 (3)
- August 2017 (1)
- July 2017 (1)
- June 2017 (1)
Authors
- Al Smith (1)
- Alan Saldich (2)
- Alex Kirk (7)
- Allen Male (1)
- Amber Graener (1)
- Anthony Kasza (5)
- Ben Reardon (7)
- Bernard Brantley (1)
- Brian Dye (8)
- Charles Strauss (2)
- Christian Kreibich (3)
- Corelight (3)
- Corelight Labs Team (19)
- Ed Amoroso, founder and CEO of TAG Cyber (guest) (1)
- Ed Smith (6)
- Gary Fisk (1)
- Gregory Bell (4)
- Howard Samuels (1)
- James Schweitzer (1)
- Jamie Brim (1)
- Jean Schaffer (7)
- Johanna Amann (3)
- John Gamble (8)
- Jon Natkins (1)
- Joy Bonaguro (1)
- Justin Azoff (1)
- Keith J. Jones (1)
- Kelley Misata (1)
- Lana Knop (1)
- Nick Hunter (1)
- Paul Dokas (1)
- Richard Bejtlich (30)
- Ricky Lin (1)
- Robin Sommer (2)
- Roger Cheeks (5)
- Ryan Victory (1)
- Sara Shuman (2)
- Sarah Banks (2)
- Seth Hall (3)
- Stan Kiefer (2)
- stevesmoot (1)
- Tim Wojtulewicz (1)
- Vern Paxson (2)
- Vijit Nair (5)
- Vince Stoffer (10)
- Yacin Nadji (2)
Subscribe to blog
X