CORELIGHT LABS
RESEARCH
From detecting attacks to profiling behavior, Corelight Labs creates new ways to deepen network insight and strengthen enterprise security. We work in close partnership with other innovators at Corelight, and we take pride in the robust, deeply technical capabilities we create.
Recent Research
Network Detection of Interactive SSH Impostors Using Deep Learning
Impostors who have stolen a user's SSH login credentials can inflict significant harm to the systems to which the user has remote access. We consider the problem of identifying such imposters when they conduct interactive SSH logins by detecting discrepancies in the timing and sizes of the client-side data packets, which generally reflect the typing dynamics of the person sending keystrokes over the connection.
GGFAST: Automating Generation of Flexible Network Traffic Classifiers
When employing supervised machine learning to analyze network traffic, the heart of the task often lies in developing effective features for the ML to leverage. We develop GGFAST, a unified, automated framework that can build powerful classifiers for specific network traffic analysis tasks, built on interpretable features. The framework uses only packet sizes, directionality, and sequencing, facilitating analysis in a payload-agnostic fashion that remains applicable in the presence of encryption.
Detecting Abuse of NetSupport Manager
September 11, 2024 • Tillson Galloway
Welcome to the latest hunt from Corelight Labs! This blog continues our tradition of analyzing trending TTPs on Any.Run and writing detectors for...
Read MoreDetecting The Agent Tesla Malware Family
July 2, 2024 • Keith J. Jones
Welcome to the latest from Corelight Labs! This blog continues our tradition of picking a popular malware family from Any.Run and writing a detector...
Read MoreDetecting the STRRAT Malware Family
May 17, 2024 • Corelight Labs Team
Introduction
In this edition of Corelight’s Hunt of the Month blog, we bring you a STRRAT malware detector. In recent months STRRAT has become one of...
Read MoreAll code discussed in this blog can be pulled from https://github.com/corelight/zeek-asyncrat-detector
Read MoreFocus Terrapin patching efforts with Zeek
March 9, 2024 • Ben Reardon
In this blog, we will demonstrate how Zeek’s metadata approach can help focus patching efforts related to the recent SSH “Terrapin” attack. One of...
Read MoreHow Corelight Uses AI to Empower SOC Teams
November 15, 2023 • Vince Stoffer
The explosion of interest in artificial intelligence (AI) and specifically large language models (LLMs) has recently taken the world by storm. The...
Read MoreWriting a Zeek package in TypeScript with ZeekJS
October 26, 2023 • Simeon Miteff
Turning the tables on the infiltrator
October 16, 2023 • Ben Reardon
This article was originally featured in TechBeacon.
Read MoreUsing Corelight to Identify Ransomware Blast Radius
September 29, 2023 • Chris Brown
Over the past few months, ransomware targeting healthcare organizations has been on the rise. While ransomware is nothing new, targeting healthcare...
Read MoreBlack Hat NOC USA 2023: A tale of sharp needles in a stack of dull needles
September 15, 2023 • Ben Reardon
During Black Hat 2023 in Las Vegas, our Corelight team worked effectively and speedily with our first-rate Black Hat NOC partners Arista, Cisco,...
Read MoreTo learn more about Corelight Labs, contact our team.
Get our research the minute it's published
Sign up for Corelight Labs news.
Have questions?
Talk with one of our experts today.
