CORELIGHT LABS
RESEARCH

From detecting attacks to profiling behavior, Corelight Labs creates new ways to deepen network insight and strengthen enterprise security. We work in close partnership with other innovators at Corelight, and we take pride in the robust, deeply technical capabilities we create.
LATEST RESEARCH
New Sliver C2 Detection Released - Redteam detected
We are excited to announce the release of a new detection package “Sliver”, which identifies and raises alerts related to the Sliver C2 framework. This new package joins our industrial-strength C2 Collection and uses a variety of techniques to detect Sliver, above and beyond our HTTP-C2 package’s existing Sliver coverage.
IoT/OT/ICS threats: Detecting vulnerable Boa web servers
On Nov. 22, 2022 Microsoft announced research findings about an ongoing supply chain attack against IoT devices running Boa web servers. The Boa web server, an open-source small-footprint web server suitable for embedded applications, was...
Detecting 5 current APTs without heavy lifting
11/8/22
The Corelight Labs team prides itself on the ability to create novel Zeek and Suricata detection content that delves deep into packet streams by leveraging the full power of these tools. However this level of additional sophistication is not always...
Detecting the Manjusaka C2 framework
Security practitioners may know about common command-and-control (C2) frameworks, such as Cobalt Strike and Sliver, but fewer have likely heard of the so-called Chinese sibling framework “Manjusaka” (described by Talos in an excellent writeup)...
Read more »Detecting CVE-2022-30216: Windows Server Service Tampering
In July 2022, Microsoft disclosed a vulnerability in the Windows Server Service that allows an authenticated user to remotely access a local API call on a domain controller, which triggers an NTLM request...
Read more »Detecting CVE-2022-26937 with Zeek
This month, Microsoft announced a vulnerability in NFS. The exploit lies in how an attacker can force a victim NFS server to request an address from the attacker’s fake NFS server. The address returned will overflow memory on the victim NFS server...
Read more »Read the latest from Corelight Labs
Another day, another DCE/RPC RCE detecting Windows NFS Portmap vulnerabilities
Detecting Windows NfS Portmap vulnerabilities
Detecting CVE-2022-21907, an IIS HTTP Remote Code Execution vulnerability
Detecting Log4j exploits via Zeek when Java Downloads Java
Detecting Lo4j via Zeek & LDAP traffic
To learn more about Corelight Labs, contact our team.
Get our research the minute it's published
Sign up for Corelight Labs news.