Huntress

Our SOC recently detected highly sus activity on a telecom company’s network. These guys had their sights set on the crown jewel: Domain Administrator creds Here’s what they did: ✅ Dumped registry hives to scrape credentials ✅ Probed the Active Directory environment ✅ Scanned the Domain Administrators group multiple times ✅ Locked in persistence with Scheduled Tasks After stopping the threat, our team found the root cause—a compromised Remote Desktop Gateway. This stands out because the account was under their control for weeks before signs of hands-on keyboard activity.

NordVPN and Mullvad are great for privacy—but cybercriminals love ‘em for a reason. They get: ✅ Anonymous payments ✅ No-logging policies ✅ And easy ways to hide malicious activity There’s a thin line between legit use and abuse—and Matt Kiely’s here to show you: https://lnkd.in/g-fFZ5yk

Getting the gift of a new device is always exciting. What’s not exciting, though, is having that new device get infected with malware or worse. We’ve got some tips to help prevent that. Join us for a special holiday edition of our Community Fireside Chat, focusing on device security best practices! Stop by to hear our SOC managers’ expert advice on keeping your new devices safe and secure—at home or at work. https://lnkd.in/e7m97dSC

It’s the holidays, make sure anyone stopping by for a visit is actually welcome. See this hotel chain in Arizona that found itself hosting an uninvited guest who: ✅ Installed the remote access tool Atera on two hosts. ✅ Attempted to drop an SSH backdoor to 45[.]61[.]136[.]23. ✅ Created a user account named iagservice with the password 9py5PGMjvtx and added it to the Administrators group. Our SOC caught the activity, booted the intruder, and cleaned up all their persistence attempts before any real damage set in. The takeaway is this: lock down privilege management and high-tier accounts. 🔏 Threat actors are the worst guests—they love easy-to-leverage admin access, and they’ll stick around if you leave the doors wide open. 🚪

When we looked into Azure identity attacks, a few things stood out👇 ➡️ 10% of tenants had at least one rogue app. It’s more common than you'd think. ➡️ Some identities were tied to multiple malicious apps, lurking unnoticed for way too long. 👀 ➡️ Digging through permissions, scopes, and persistence? It’s like finding a needle in a haystack.🔍 These apps stick around because they’re built to hide, using permissions and access scopes to blend in. Recognizing what doesn’t belong requires effort, awareness, and a deep understanding of these tactics. This isn’t a “one-off” problem—it’s something anyone using SaaS apps could face.

A threat actor tried to make moves inside a New Jersey Orthopaedic network—but they didn’t get far. Here’s what went down: ✅ Bypassed the VPN’s MFA (misconfigurations matter, folks). ✅ Used RDP to pivot through the network. ✅ Ran some recon with ipconfig /all. ✅ Dropped a Cobalt Strike beacon: "rundll32.exe C:\Users\<redacted>\Temp\16\PI.dll,nvmlVgpuTypeGetName." Textbook, right? But here’s the cool part: our SOC spotted this in real-time, traced it back to the source, worked with the partner to lock down their MFA setup, and shut it down before any damage happened. The attacker probably thought they were invisible 🤦 Those small security settings you've been meaning to check are an open invitation to attackers. Take 10 minutes today to verify your MFA setup. Stay sharp, friends…and get those misconfigurations in check. ✔️ 

🛡️Microsoft Defender Antivirus (MDAV) remains a useful security tool—for you AND adversaries, especially when exclusions are involved. 👾MDAV exclusions allow a user (or threat actor) with admin privileges or higher to get around AV scans on folders, binaries, and IP addresses. 😶🌫️ So instead of shutting your antivirus down completely (which would be a bit sus), they can hide their activity from scans using exclusions. Check out the exclusions supported by MDAV. 👇 We also just put out a blog on the subject if you’re wondering how you can defend against these kinds of techniques: https://lnkd.in/eRGf6j_G

Using a SIEM can give your business a serious security boost…but what does a SIEM even do? We’ve got some answers to that below (and even more in our SIEM Buyer’s Guide). https://lnkd.in/e7G2f4Cf

Your network has cracks. Attackers know it, and they’re exploiting stolen creds, phishing emails, and session tokens to sneak in. Stopping intrusions at the endpoint before they become disasters is critical to building a resilient business. These stories straight from the Huntress SOC show how it can be done.

For the longest time, info stealers felt like... meh. But then we stumbled into dark web marketplaces—where $20 could snag you Roblox login, GitHub creds, or even someone's Microsoft passwords 😱. The moment this shifted from "eh, a minor nuisance" to "this is a massive problem"? When stolen credentials became so centralized and ridiculously easy to buy that anyone could exploit them. Chris Bisnett and Kyle Hanslovan are peeling back the layers of this real-world nightmare, sharing how cybercriminals have turned stealing into a business model. Get ready for a mix of: 🔑 #Infostealer evolution 📈 Why they're thriving 🎯 What we can actually do about it