LogRhythm Labs

Time to Reset Your Router? Understanding and Removing VPNFilter Malware

On May 23, 2018, Talos Group released its analysis of an ongoing malware attack it named “VPNFilter.” The Talos analysis indicates that this attack was first identified in 2016 and, as of June 2018, has compromised more than 500,000 endpoints.…

Read More
LogRhythm Web Console Used to Quickly and Easily Visualize Okta Data

Take the First Steps Toward a Zero-Trust Model with Okta Automation

Managing multiple accounts across various cloud and on-premise infrastructures centrally is a challenge for most security operations centers. To address this ever-increasing need, the LogRhythm Office of the CISO recently implemented Okta. Okta enables a nearly seamless management process for…

Read More
AI Engine Rule Configured to Use the CAT : Metadata Field : Command list

Catch the Next WannaCry or NotPetya Ransomware Attack Before Damage Occurs

Contributors to this blog include Nathaniel “Q” Quist and Sam Straka. On April 14, 2017, Shadow Brokers released a set of previously classified exploit tools developed by the National Security Agency. Within this cache of exploits, perhaps the most notorious…

Read More

Organizations Are Failing at Timely Detection of Threats

In today’s security space, we’re all too familiar with the challenges presented by industry-wide shortages in talent, budget, and dedicated security infrastructure. Many insights from the LogRhythm 2018 Cybersecurity: Perceptions & Practices benchmark survey confirm this common understanding, yet one…

Read More
PlugX Component Files

Take a Deep Dive into PlugX Malware

In June 2017, Palo Alto’s Unit 42 Threat Research team published an excellent blog post on a newly detected version of the PlugX malware family, also known as “Korplug.” Interested to find out more about this new variant, I started…

Read More
A ccminer on a Windows System

Insider Threat Use Case: Detecting and Stopping Cryptojacking

Cryptocurrency is a hot topic right now, and even though its price is drastically falling across the board, this incredible technology will have lasting impacts on the world for years to come. Though a majority of the focus on cryptocurrencies…

Read More
First AI Engine Rule Designed to Detect Memcached Attacks—CAT : Attack : Allowed Potential Memcached Reflection Attack

Detecting Memcached DDoS Attacks Targeting GitHub

Contributors to this blog include Nathaniel “Q” Quist and Dan Kaiser. On February 28 and March 5, 2018, Memcached DDoS attacks targeted GitHub. LogRhythm Labs performed an investigation into the cause, effect, and outcome of these attacks. The following will…

Read More
The Graphical Structure of a Typical PDF File

Detecting Potentially Malicious Javascript Embedded Within a PDF File Using LogRhythm Netmon

Various blog posts have been written by LogRhythm’s very own resident LogRhythm NetMon expert Rob McGovern regarding the numerous benefits of using Deep Packet Analytics within NetMon. If you’re not already familiar with deep packet analytics (DPA) rules, Rob’s post…

Read More
DDE Query is Run Directly in the Carbon Black Interface

Dynamic Data Exchange (DDE): Detection and Response, Part 2

Part one of this blog series discussed what Dynamic Data Exchange (DDE) is, what an attack may look like, and steps for mitigation. In Part 2, I’ll cover how LogRhythm and Carbon Black can work together to help detect a…

Read More
The Custom Field Can be Specially Modified to Contain Malicious Code

Dynamic Data Exchange (DDE): Detection and Response, Part 1

Malicious actors have begun using Microsoft’s Dynamic Data Exchange (DDE) mechanism to deliver payloads via Microsoft Office documents instead of the traditional embedded macros or VBA code. Specially crafted Microsoft Office documents sent via email can be used to carry…

Read More