San Francisco, CA, USA
Sep 29, 2022   |  By Corelight Labs Team
Security practitioners may know about common command-and-control (C2) frameworks, such as Cobalt Strike and Sliver, but fewer have likely heard of the so-called Chinese sibling framework “Manjusaka” (described by Talos in an excellent writeup). Like other C2 frameworks, we studied the Manjusaka implant/server network communications in our lab environment, and here we document some of the detection methods available. We have also open-sourced the content we describe.
Aug 9, 2022   |  By Corelight Labs Team
In July 2022, Microsoft disclosed a vulnerability in the Windows Server Service that allows an authenticated user to remotely access a local API call on a domain controller, which triggers an NTLM request. This results in a leak of credentials that allows an attacker to authenticate to Active Directory Certification Services (ADCS) and to generate a client certificate that enables remote code execution on a domain controller.
Jul 19, 2022   |  By Jean Schaffer
The saying “data is king” has been around for quite a while and we all know that the world operates and makes decisions on digital data 24x7x365. But, is data king in the field of cybersecurity? I believe that evidence - not data - is what is needed to speed defenders’ knowledge and response capabilities, so let's talk about both.
Jun 30, 2022   |  By Bernard Brantley
Evidence is the currency cyber defenders use to pay down security debt, balancing the value equation between adversaries and the enterprise. Defenders can use evidence proactively, identifying and protecting structural risks within our zone of control. Evidence can also be used reactively by supporting detection (re)engineering, response, and recovery activities, guiding us back to identifying and protecting structural risks.
Jun 2, 2022   |  By Stan Kiefer
In this post, we show how enriching Zeek® logs with cloud and container context makes it much faster to tie interesting activity to the container or cloud asset involved.In cloud or container environments, layer 3 networking is abstracted away from the higher-level tasks of running workloads or presenting data. Because of this abstraction, when Zeek logs are collected for cloud or container network environments, the attribution of a network flow to actual workload or application is difficult.
May 26, 2022   |  By Corelight Labs Team
This month, Microsoft announced a vulnerability in NFS. The exploit lies in how an attacker can force a victim NFS server to request an address from the attacker’s fake NFS server. The address returned will overflow memory on the victim NFS server and cause a crash. Through Microsoft’s MAPP program, Corelight Labs reviewed a proof-of-concept exploit for this vulnerability and wrote a Zeek®-based detection for it. You can find a PCAP of this exploit in our GitHub repository.
May 26, 2022   |  By Corelight Labs Team
This month, Microsoft announced a vulnerability in PPTP, a part of the VPN remote access services on Windows systems that runs on port 1723/tcp. Through Microsoft’s MAPP program, Corelight Labs reviewed a proof of concept exploit for this vulnerability and wrote a Zeek®-based detection for it.
May 25, 2022   |  By Nick Hunter
This morning we announced Corelight Investigator, an open NDR platform that enables security teams with the next-level evidence they need to disrupt attacks and accelerate threat hunting through an easy-to-use, quick-to-deploy SaaS solution. How does it work? Investigator combines battle-tested network evidence with intelligent alert scoring to deliver prioritized alerts tied to correlated evidence, enabling analysts to cut through the queue and accelerate incident response.
May 20, 2022   |  By Corelight Labs Team
CISA released a warning to federal agencies on May 18 that APT actors are actively exploiting recent vulnerabilities found in VMware, including CVE-2022-22954. Your first thought may have been to want new signatures, indicators, and/or behavioral techniques to detect attempted and successful exploits. If you’re a Zeek user or Corelight customer, you’ll find that sometimes you’re already getting what you need.
May 18, 2022   |  By Gregory Bell
American novelist F. Scott Fitzgerald famously wrote that “the test of a first-rate intelligence is the ability to hold two opposing ideas in mind at the same time, and still retain the ability to function.” All experienced security practitioners learn to master this mental trick. On the one hand, they believe efforts to prevent and detect breaches will be effective. On the other hand, they diligently prepare for the day when their efforts will fail.
Sep 27, 2022   |  By Corelight
Amidst a record number of workloads moving to the cloud – security teams must not only confront the cyber-skills shortage, but also a general lack of cloud expertise. Corelight and guest Forrester will share best practices for building threat detection, hunting, and incident response capabilities to the cloud and upskilling your existing SecOps team. Watch this on demand webcast to learn.
Sep 26, 2022   |  By Corelight
See how Corelight + CrowdStrike Falcon XDR correlates suspicious telemetry from across attack surfaces to show the full picture of adversary activity, and accelerate detection and response.
Sep 8, 2022   |  By Corelight
SANS Protects is a series of papers focused on the most prevalent threats to specific, critical components of your environment as well as actions you can take to mitigate those threats and thwart threat actors. In this webcast, sponsored by Corelight, SANS Certified Instructor Matt Bromiley will examine current, prevalent network threats and how adversaries use them to take advantage of, and maintain footholds in, victim environments.
Aug 31, 2022   |  By Corelight
In this webcast, SANS certified instructor Matt Bromiley will explore the concept of zero trust and what it means to security teams and your overall security posture. As a concept, zero trust is relatively straightforward: Trust no one until verified, inside or outside the network. However, this is often easier said than done, especially for systems built on legacy authentication models. Matt will also examine what a zero trust implementation looks like, how this can stop adversaries dead in their tracks, and what your organization can do to begin moving toward a state of zero trust.
Aug 26, 2022   |  By Corelight
Many organizations want to start threat hunting but struggle with knowing where to begin, how to measure success, and how to scale an effective program. This presentation draws on the experience of elite hunters and teams around the world and will discuss an actionable threat hunting maturity model and help you prepare for each step of the journey with specific guidance, concrete examples, and sample threat hunts.
Aug 26, 2022   |  By Corelight
Open source security technologies such as Zeek, Suricata, and Elastic can deliver powerful network detection and response capabilities, and the global communities behind these tools can also serve as a force multiplier for security teams, such as accelerating their response times to zero-day exploits via community-driven detection engineering and intel sharing. This presentation will review popular open source technologies used in network DFIR and cover use cases, integrations, and open source design patterns.
Aug 5, 2022   |  By Corelight
It's been a year since President Biden's executive order that called out zero trust as a primary focus. Corelight's Richard "Chit" Chitamitre discusses the prevalent misunderstandings about zero trust, as well as use cases for how to embrace the framework and make measurable progress along the way. In this video interview, in partnership with Information Security Media Group, you will learn.
Aug 5, 2022   |  By Corelight
Is your IoT dryer transferring 1GB+ of traffic daily? Does your Tesla phone home to the mothership? Is your employer monitoring you at home? Learn a quick, easy, free method for using a Raspberry Pi to gain visibility into your home network. We'll teach you to find out what your smart (and not-so-smart) devices are doing using ZeekⓇ logs and Suricata alerts–two flagship open-source technologies–skills transferable to your day job and enterprise environments.
Aug 1, 2022   |  By Corelight
Are you interested in context for your cloud or container environment when you investigate an event from last week, last month, or last year? Would it save you time to have IDS alerts that include the full context of the connection? Watch this SANSFIRE 2022 webcast and to see James Schweitzer demonstrate easy to understand, interlinked network evidence, available wherever you need it and which also enables orchestration.
Jul 27, 2022   |  By Corelight
We’ll also look at the past two years to see if global economic impacts have caused any industry changes that give us cause to rethink our approach to threat hunting.. Key topics will include operationalizing threat hunting, innovative threat hunting tactics and techniques, and new tools that can help threat hunting for both endpoints and networks.

Corelight gives you the high ground—a commanding view of your network that lets you outsmart and outlast adversaries.

From the Acropolis to the edge of space, defenders have sought the high ground in order to see farther and turn back attacks. Corelight delivers a commanding view of your network so you can outsmart and outlast adversaries. We capture, interpret, and connect the data that means everything to defenders.

Corelight gives apex defenders the information and tools they need to successfully detect and respond to threats. Corelight is built on Zeek, an open-source, global standard technology. Zeek provides rich, structured, security-relevant data to your entire SOC, making everyone from Tier 1 analysts to seasoned threat hunters far more effective.

The Open NDR Platform:

  • Suricata: Suricata generates alerts that we embed directly into Zeek logs, putting every detection intocontext to save time, cut alert backlogs, and improve analytics.
  • Zeek: The Zeek open source network security monitor generates lightweight metadata and detections to enable threat hunting and speed incident response.
  • Smart PCAP: Smart PCAP links logs, extracted files, and insights with just the packets you need, to reduce storage costs while expanding retention times by a factor of 10.

Faster investigations, more effective threat hunts with the world's best network evidence.