Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

New position brings new open source opportunities

By Kelley Misata – October 12, 2022

Today marks the start of ZeekWeek, the annual conference for information technologists who rely on the Zeek® network for security monitoring. Read more »

Detecting CVE-2022-30216: Windows Server Service Tampering

By Corelight Labs Team – August 9, 2022

In July 2022, Microsoft disclosed a vulnerability in the Windows Server Service that allows an authenticated user to remotely access a local API call on a domain controller, which triggers an NTLM request. This results in a leak of credentials that... Read more »

Enriching NDR logs with context

By Stan Kiefer – June 2, 2022

Editor’s note: This is the latest in a series of posts where we explore topics such as network monitoring in Kubernetes, using sidecars to sniff and tunnel traffic, show a real-world example of detecting malicious traffic between containers, and... Read more »

Detecting CVE-2022-23270 in PPTP

By Corelight Labs Team – May 26, 2022

This month, Microsoft announced a vulnerability in PPTP, a part of the VPN remote access services on Windows systems that runs on port 1723/tcp. Through Microsoft’s MAPP program, Corelight Labs reviewed a proof of concept exploit for this... Read more »

Detecting CVE-2022-26937 with Zeek

By Corelight Labs Team – May 26, 2022

This month, Microsoft announced a vulnerability in NFS. The exploit lies in how an attacker can force a victim NFS server to request an address from the attacker’s fake NFS server. The address returned will overflow memory on the victim NFS server... Read more »

Finding CVE-2022-22954 with Zeek

By Corelight Labs Team – May 20, 2022

CISA released a warning to federal agencies on May 18 that APT actors are actively exploiting recent vulnerabilities found in VMware, including CVE-2022-22954. Your first thought may have been to want new signatures, indicators, and/or behavioral... Read more »

What makes evidence uniquely valuable?

By Gregory Bell – May 18, 2022

Editor's note: This is the third in a series of Corelight blog posts focusing on evidence-based security strategy. Catch up on all of the posts here. American novelist F. Scott Fitzgerald famously wrote that “the test of a first-rate intelligence is... Read more »

Another day, another DCE/RPC RCE

By Corelight Labs Team – May 17, 2022

CVE-2022-26809 was patched in Microsoft’s previous Patch Tuesday (April 12) and it’s a doozy: remote code execution on affected versions of DCE/RPC hosts. The vulnerability attracted a lot of attention in the security community, both because of its... Read more »

Spotting Log4j traffic in Kubernetes environments

By Stan Kiefer – May 10, 2022

Editor’s note: This is the latest in a series of posts we have planned over the next several weeks where we explore topics such as network monitoring in Kubernetes, using sidecars to sniff and tunnel traffic, show a real-world example of detecting... Read more »

Deeper visibility into Kubernetes environments with network monitoring

By Vijit Nair – April 12, 2022

Editor’s note: This is the first in a series of posts we have planned over the next several weeks. We will explore topics such as network monitoring in Kubernetes, using sidecars to sniff and tunnel traffic, show a real-world example of detecting... Read more »