From detecting attacks to profiling behavior, Corelight Labs creates new ways to deepen network insight and strengthen enterprise security. We work in close partnership with other innovators at Corelight, and we take pride in the robust, deeply technical capabilities we create.

Latest research


Detecting ​​CVE-2021-42292 

11/10/21

On its surface, CVE-2021-42292 doesn’t look like the kind of vulnerability that a network-based tool can find reliably. Marked by Microsoft as a local file format vulnerability, security veterans would expect that between encryption and encoding, there would be a million different ways to evade network detection with a weaponized exploit.

Read more  

Detecting ​​CVE-2021-38647 - OMIGOD

9/21/21

Researchers at wiz.io recently found a series of vulnerabilities in Windows Open Management Infrastructure (OMI) software, which is widely installed on cloud-based Azure Linux Agents. We have open-sourced a Zeek package for the most severe of these...

Read more  

Using Zeek to track communication state

9/21/21

One of Zeek's greatest strengths is its ability to deeply inspect packet streams that are fed into it. It is adept not only at identifying network protocols but also parsing them to extract large amounts of useful information. There is another...

Read more  

Telegram Zeek, you're my main notice

7/28/21

Notices in Zeek’s Notice Framework enables network operators to specify how potentially interesting network findings can be reported. This decoupling of detection and reporting highlights Zeek’s flexibility: a notice-worthy event in network...

Read more  

PrintNightmare, SMB3 encryption

7/7/21

ICVE-2021-1675, also tracked in CVE-2021-34527, is a remote code execution vulnerability that targets the Windows Print Spooler service. In a nutshell, there is a Distributed Computing Environment / Remote Procedure Call (DCE/RPC) that allows...

Read more  

Corelight detects the ChaChi RAT

6/24/21

Recently Blackberry analyzed a new GoLang Remote Access Trojan (RAT) named “ChaChi.” This sample was interesting in that it tunnels information over DNS as its preferred command and control (C2) mechanism. We downloaded two PCAPs from the malware...

Read more  

Read more from Corelight Labs

Get our research the minute it's published


Sign up for Corelight Labs news.


To learn more about Corelight Labs, contact our team.