Ask Huntress: Fake .XPS Invoice Leading to Credential Phishing
The Backstory Today’s request came from a partner looking for feedback on how to defend against a campaign of phishing emails that slipped past their…
Category: ThreatIntelligence-IncidentResponse
Attackers Abuse Trust with Indirection
Incident #2—Abusing mshta.exe & PowerShell.exe While at DattoCon 2018, our ThreatOps Team hosted a Hacking Windows Training and gave live demos at the booth. We challenged attendees…
Distrusting Symantec Issued Certificates | Huntress
Why is this Happening? In mid-2017, several browser manufactures proposed and adopted plans to distrust SSL/TLS certificates issued from Symantec’s Certificate Authority due to a history of…
Failing to Revive AUTOEXEC.BAT on Windows 7 & 10
I was recently tagged in a Twitter thread about an obscure DOS feature in relation to auto-launching applications (commonly called persistence in offensive cyber security). Although…
CVE-2017-18362: SQL Injection in ManagedITSync Integration
A vulnerability was discovered and disclosed in late 2017 that affected the ConnectWise ManagedITSync integration, designed to sync data between the ConnectWise Manage PSA and the Kaseya VSA…
Rapid Response: ASUS Live Update Attack (Operation ShadowHammer)
Situation Overview The hardware manufacturer ASUS included an application on all of their Windows devices called Live Update. Between June and November 2018, Hackers compromised ASUS’…
Incident Education: Sales Ammo for the IT Arsenal
The Incident Backstory A recently unsealed US indictment detailed how the GozNym cybercrime group was behind $100 million in damages. The hackers specifically infected victims’…
Keeping up with BlueKeep | Huntress
What is BlueKeep? During Windows’ May 2019 patch cycle, Microsoft released a patch for a remote code execution bug in their Remote Desktop Services software.…
Huntress Development Notes: Updating the Updater
If you’ve ever taken a look inside the Huntress Agent directory you may have noticed the file wyUpdate.exe . This executable is wyUpdate, the third party update utility…
How threat hunting evolves at scale
At Red Canary, our deep focus on mechanized detection engineering has always been complemented by an underlying need to understand emerging threats, patterns, and vulnerabilities…
Deceptive Installers: How Fake Apps Target macOS
If you’ve ever downloaded a “free” version of software that traditionally has a price tag, I’m looking at you, my LimeWire power-users of the 2000s.…
How Federal Agencies Can Activate a Risk Operations Center (ROC) to Meet CISA BOD 26-04
Executive Summary Recognizing the ability of Frontier AI models to discover and exploit vulnerabilities at unprecedented speed and scale, CISA’s Binding Operational Directive (BOD) 26-04…