Huntress responded to a 2026 intrusion using compromised SonicWall VPN credentials and a revoked EnCase forensic driver to terminate EDR processes via BYOVD.

SOAPHound's LDAP query (!soaphound=*) never appears in Event 1644 logs, but it transforms into (! (FALSE)) through LDAP optimization. Understanding this transformation reveals a unique detection signature that most defenders have never seen.

See the research that highlights how MSPs experience reduced time and effort spent on ticket management, cost savings, and boosted efficiency with Huntress.

Learn how the Incident Report Timeline within Huntress Managed ITDR offers clear, chronological insights, enabling a decisive response to incidents.

SmarterMail versions prior to Build 9511 are vulnerable to privileged account takeover and remote code execution. Learn more about the latest Huntress DE&TH Team’s findings.

Vertical-specific construction applications face unique risks. Hacked apps stem from flaws in the software or its components, expanding the jobsite attack surface.

Fake ad blocker crashes your browser, then offers a "fix." Go inside KongTuke's CrashFix campaign, from malicious extension to ModeloRAT for VIP targets.

While investigating LDAP filters and attributes, I completely missed "SDFlags" in my Event 1644 logs. When I finally noticed it, the investigation led to nTSecurityDescriptor, attack path discovery, and a high-confidence detection signature.

Huntress researchers weigh in on the challenge of getting feature parity across Windows, macOS, and Linux. And learn how unique security models and platform maturity shape the way products are built.

Huntress outlines 2025 AI attack speed with automated scripts, but adversaries use familiar tradecraft. Detection and hygiene remain decisive.

Huntress outlines a complex, multi-step attack designed to break out of guest VMs and target the ESXi hypervisor, using potential zero-day vulnerabilities and sneaky VSOCK communication.

From lures involving Social Security statements to top domains and hashes used in attacks, here's an in-depth look at incidents involving ScreenConnect in 2025.

Your LDAP detection rules work in the lab but fail in production. Here's why Event 1644 whitespace variations break your Sigma rules and how to fix them.

From "React2Shell" exploitation to sophisticated "Living off Trusted Sites" phishing, Huntress experts break down the threats targeting both enterprises and families today.

Learn how supply chain attacks and shifting trust are reshaping the software supply chain, and what enterprises must do to strengthen resilience.

Think all threat actors are pros? This post reveals how 'unsophisticated' malware and attacker errors help defenders stop attacks before damage is done.

Understand the critical role of cyber insurance in safeguarding your business from cyber threats. Learn how this coverage can protect your assets.

Threat actors are exploiting a vulnerability in Gladinet’s CentreStack and Triofox products that stems from hardcoded cryptographic keys in the AES implementation.

Recently, the Huntress SOC has observed threat actors increasingly use PDQ and GoTo Resolve to deploy further remote monitoring and management (RMM) tools in attacks.

Learn why your LDAP detection rules never fire and how to fix them. Hint: it's the OID-to-bitwise transformation.