Partners
          Get Started
          Get Started

          From detecting attacks to profiling behavior, Corelight Labs creates new ways to deepen network insight and strengthen enterprise security. We work in close partnership with other innovators at Corelight, and we take pride in the robust, deeply technical capabilities we create.

          Latest research

          Detecting CVE-2022-30216: Windows Server Service Tampering

          8/9/22

          In July 2022, Microsoft disclosed a vulnerability in the Windows Server Service that allows an authenticated user to remotely access a local API call on a domain controller, which triggers an NTLM request...

          Read more »

          Detecting CVE-2022-23270 in PPTP

          5/26/22

          This month, Microsoft announced a vulnerability in PPTP, a part of the VPN remote access services on Windows systems that runs on port 1723/tcp. Through Microsoft’s MAPP program, Corelight Labs reviewed a proof of concept exploit for this...

          Read more »

          Detecting CVE-2022-26937 with Zeek

          5/26/22

          This month, Microsoft announced a vulnerability in NFS. The exploit lies in how an attacker can force a victim NFS server to request an address from the attacker’s fake NFS server. The address returned will overflow memory on the victim NFS server...

          Read more »

          Another day, another DCE/RPC RCE

          5/17/22

          CVE-2022-26809 was patched in Microsoft’s previous Patch Tuesday (April 12) and it’s a doozy: remote code execution on affected versions of DCE/RPC hosts. The vulnerability attracted a lot of attention in the security community, both because of its severity but also because it appears to be really hard to trigger...

          Read more »

          Detecting Windows NFS Portmap vulnerabilities

          4/21/22

          This month, Microsoft announced two vulnerabilities in portmap, which is part of ONC RPC, on Windows systems. This blog will discuss Zeek detection packages for CVE-2022-24491 and CVE-2022-24497 developed by Corelight Labs...

          Read more »

          Detecting CVE-2022-21907, an IIS HTTP Remote Code Execution vulnerability

          1/26/22

          In January 2022, Microsoft disclosed a remote code execution vulnerability for Internet Information Server (IIS) identified as CVE-2022-21907, which they have subsequently reported as wormable. Through Microsoft, Corelight Labs was able to review a...

          Read more »

          Read more from Corelight Labs

          Detecting Log4j exploits via Zeek when Java Downloads Java

          Detecting Lo4j via Zeek & LDAP traffic

          Simplifying detection of Log4Shell

          Detecting CVE-2021-4292

          Detecting CVE-2021-38647 - OMIGOD

          Get our research the minute it's published

          Sign up for Corelight Labs news.

          To learn more about Corelight Labs, contact our team.