John FerrellinHuntressHiding In Plain SightHiding a malicious payload in a file meant to look like a log.Jun 18, 2020Jun 18, 2020
John FerrellinHuntressThreatOps Analysis: Keyed MalwareAttackers will sometimes “key” the malware for a particular host or user, meaning the malware will only run on the targeted host…Mar 18, 2020Mar 18, 2020
John FerrellinHuntressHuntress Development Notes: Updating the UpdaterIf you’ve ever taken a look inside the Huntress Agent directory you may have noticed the file wyUpdate.exe . This executable is wyUpdate…Oct 3, 2019Oct 3, 2019
John FerrellinHuntressDeep Dive: A LNK in the ChainThe Huntress ThreatOps team sees all sorts of clever tricks attackers use to launch PowerShell.May 30, 2019May 30, 2019
John FerrellScheduled Task command with space “hides” the file from AutorunsTL;DR; Creating a scheduled task with a space in the file path will “hide” the executable from Autoruns. The file path is split on the…May 3, 2019May 3, 2019
John FerrellinHuntressDeep Dive: Windows Administrative SharesThe Huntress ThreatOps team continues to see new Emotet and Trickbotmalware outbreaks on our partner’s managed networks. These malware…Feb 7, 2019Feb 7, 2019
John FerrellinHuntressDeep Dive: Examining A Powershell PayloadWe continue to see more and more malware that is “Living Off The Land”. In other words, it uses built-in tools and features of the…Oct 11, 2018Oct 11, 2018
John FerrellinHuntressDeep Dive: .NET Malware — Peeling Back the LayersCyber attackers constantly develop creative ways to obfuscate their code to conceal the presence (and purpose) of their malware. In this…Jun 6, 2018Jun 6, 2018
John FerrellinHuntressDeep Dive: Investigating a Foothold & Uncovering the PayloadRecently, we flagged a User Run Key value with the name “xmNusBQH4865”, which in and of itself was suspicious. The command executed was…Oct 17, 2017Oct 17, 2017
John FerrellinHuntressAbusing Trusted Applications with Nested ExecutionRecently, my co-founders gave a talk at DerbyCon 7.0 on evading common persistence enumeration tools. Evasion using trusted applications…Oct 3, 2017Oct 3, 2017