Huntress

You showed up at Huntress Roadshows to tackle the real stuff: dissecting threats, breaking down attacker tactics, and giving MSPs what they need to build stronger, smarter security practices. From diving into the latest attack trends to live-fire IR strategy sessions and answering big questions at the Genius Bar—it was all about defend, empower, win. But hey—when we weren’t knee-deep in security talk, we somehow found time to kick field goals at Ford Field, race cars in Houston, drive tanks in Orlando, and catch a Bruins game in Boston. You know, the usual. Massive thanks to our partners and everyone who came out ready to share, learn, and make life harder for hackers.

The tournament we’ve all been *really* waiting for is finally tipping off ⛹ Yes, the “Worst Places to Store Your Password” tournament has arrived! We asked our online community on LinkedIn and our Huntress community on Slack to share their wildest examples of the best (worst) places to store a password. The results? This stunning bracket. Now that you’ve seen the lineup, the big question is: Who you got?! 👀 Get the inside edge on your office bracket by reading the tournament breakdown: https://lnkd.in/eeTunYwK

The worst time to find out someone messed around with your data logs? After a threat actor dumps encryption on your network. Here’s what happened👇 First, a Remote Desktop Gateway was compromised, followed by: ➡️ Domain mapping ➡️ Credentials theft from the registry and other locations Then things got interesting: ➡️ The Windows Application log was cleared ➡️ PowerShell was set up to not log console history ➡️ Shadow copies were deleted to make recovery tricky if encryption was used Crisis averted: Our SOC isolated the network before the threat actor dropped any nasty encryption Here’s a few ways to lock down your data logs ✔️ Roll out managed SIEM: logs are streamed to a safe location away from the host including logs cleared on the endpoint ✔️ Set up a solid backup plan: make sure shadow copy deletion doesn’t catch you by surprise

A US construction company had a threat actor lurking in their network. Let’s break it down 👇 🏗️ They authenticated onto the VPN with a compromised user account 🚧 Attempted to dump registry hives for credential theft, but got blocked by our Managed Microsoft Defender 👷 Controlled two user accounts before our SOC stopped the intrusion Additional analysis showed their initial access started from a malicious IPv4 address connected to a ransomware actor. Here’s how to turn up the heat on attackers like this one: ➡️ Add MFA to your VPN for an additional security obstacle ➡️ Deploy security solutions on all devices. Don’t be stingy: workstations, gateway devices, and more ➡️ Consider expanding your devices' default logging size, as we often find logs get overwritten quickly during intrusions

These are the #ransomware groups that businesses need to be aware of 👇 🔒 21.4% of ransomware attacks we observed came from RansomHub 🔑 16.8% of attacks were from Inc/Lynx 🔓 15.8% originated from Akira Get the insights to really defend against today’s biggest ransomware threats with the Huntress 2025 Cyber Threat Report: https://lnkd.in/gheY3dQZ

Pretty sure this pitstop from Sebring over the weekend perfectly mimics the daily IT / Security grind 😅 Issues flying in from left-field fast af 💨 The team rapidly springing into action—excuting their roles with precision 🛠️ Fires igniting from unexpected places 🔥 All the beautiful nuance underappreciated by those in the stands. I’m thankful as hell for the pit crew out there who make the magic possible 🙏 Credit: Forte Racing, Automobili Lamborghini S.p.A., and Huntress

Unpatched Microsoft Exchange servers are an open invitation to threat actors👇 🚨They drop webshells 🚨Scout out post-exploitation shenanigans: ➡️ Enumeration via WMIC ➡️ ARP Scanning Threat actors are obsessed with scanning and exploiting unpatched Exchange servers. They’re all about persistence with minimal detection and lateral movement. So don’t run on borrowed time: ✔️ Patch immediately: we see way too many ancient Exchange servers ✔️ Scan for webshells: look for suspicious ASPX files in Exchange and IIS directories ✔️ Watch for unexpected child processes especially from IIS web processes ✔️ Use strong EDR and logging for perimeter devices, including MS Exchange

Ever wondered how credential dumping and lateral movement are flagged almost immediately? Check out this example of SIEM and EDR working together to detect threats in under a minute, preventing threat actors from causing catastrophic damage to your environment. More combined telemetry means faster detection and response, along with a richer environment for root cause analysis of threat activity. Read more about how HUntress Managed SIEM will help stop threats in their tracks: https://lnkd.in/eqQuAzj3

A manufacturer found that an employee downloaded Gootloader malware via an SEO poisoning attack. From there: ➡️ Huntress EDR flagged anomalous domain enumeration ➡️ We found a newly created account: “Administralol”  ➡️ Investigated further—turns out, the entry point was Gootloader malware ➡️ Attackers tried to persist with a scheduled task running JavaScript This story isn't unique. Here are real cases of attacks that have blown by traditional defenses and became threats that stuck around for years 👇

Here’s how to stop attacks in minutes with managed SIEM 👇 👿 This threat actor logged in from a known, sketchy workstation 🚨 Our Managed SIEM sent out an alert, giving our SOC the heads up 💥 Then in <5 minutes, we kicked them out to prevent further access When you’re rocking a managed SIEM backed by a 24/7 SOC, you don’t hear about attacks AFTER you’ve been wrecked—you shut them down *before* they even start