Managed endpoint protection, detection and response designed to help the 99% fight back against today’s cybercriminals.
Great article by @huntress in which they have analyzed the 'defendnot' evasion technique. Clever technique used to disable Windows defender by registering a fabricated AV-product.
Great amount of detail, detection and defense suggestions.
https://www.huntress.com/blog/defendnot-detecting-malicious-security-product-bypass-techniques
Make sure to reinforce your security stack against ransomware👇
✅ Secure RDP: disable exposed RDP services & enforce MFA
✅ Check Windows Defender modifications: unauthorized changes may be a red flag
✅ Tune into threat intel: stay ahead of TTPs so you disrupt threats quicker
➡️ The payload and IPv4 are possible BianLian activity, a ransomware group known for raking in payments with data exfiltration and extortion over encryption.
Fortunately, our SOC sent them packing before any serious damage was done.
➡️ A suspected ransomware group impaired Windows Defender using registry modifications to exclude *.DLL ➡️ Then with Windows Defender on the fritz they dropped a malicious GoLang DLL payload: rundll32.exe C:\\ProgramData\\HP\\Installer\\Temp\filter.dll,Entry
Exposed RDP can lead to anything—even attempted ransomware attacks. Here’s what went down at this manufacturing business👇
We've even got some Chainsaw and Sigma detections for you:
https://github.com/huntresslabs/threat-intel/tree/main/2025/2025-04/CentreStack_CVE-2025-30406
CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild!
We've got some post exploitation and detection opportunities for you:
✅ Are you well versed in Linux?
✅ Do you understand Linux internals and eBPF?
✅ Do you like building out POCs?
✅ Do you understand cyber threats, how they manifest, how to investigate them, and forensic artifacts?
✅ Do you want to join a highly functioning team of top-notch researchers?
💥 Guess what? We have a job opening for a Principal Linux Researcher here at @huntress
Apply here:
The @huntress 2025 Threat Report is now live and it is a doozy!!! Make sure to check out the great work that @Laughing_Mantis and team have done 👏and gain insights into what’s going on from our view!! 🥳🎉🥳🎉🥳🎉
These insights from the
@huntress 2025 Cyber Threat Report can help keep your business safe.
Get key findings, tradecraft examples, and new attacker techniques—plus how to defend against them. Register here:
🫥 22% of what we saw were malicious scripts, meaning threat actors increased their detection evasion and automation capabilities
👾 17% involved #malware, which shows adversaries continue to target every level of the attack chain to find the weakest link in defenses
Here’s a look at 2024 from our SOC’s perspective 👇
🚨 #Infostealers made up 24% of all incidents, showing attackers had a serious focus on stealing credentials, financial information, and sensitive data
A scam scenario... from a SOC perspective! Worlds collide between scambait content and endpoint security education -- with a potential victim uncovered by the artifacts of what the scammer wrote in Notepad!👀 We uncover everything in this super cool story:
https://youtu.be/F4mXdm5dqrw
We’re hiring a technical writer for my team here at @huntress in case anyone is interested! Feel free to reach out with questions 😃
Detecting UAC bypass methods early can help prevent privilege escalation—a critical step in many ransomware attacks. Regular monitoring of processes like DllHost.exe with unusual COM Objects is key.
We've developed two new Sigma rules to detect privilege escalation:
✅System Binary Proxy Execution Using CMSTPLUA COM Interface
✅Scripting Interpreter Execution Using CMSTPLUA COM Interface
Focused on spotting suspicious activity tied to privilege escalation attempts.
To narrow down detections, focus on child processes created via the CMSTPLUA COM Object that meet these criteria:
1⃣Have invalid signatures (malicious binaries).
2⃣Are scripting interpreters (e.g., CMD, #PowerShell).
3⃣Use System Binary Proxy Execution techniques.
Elastic provides a solid detection rule:
✅UAC Bypass via ICMLuaUtil Elevated COM Interface
A Sigma rule version of this is also available, making it easier to integrate into SIEM platforms.
This technique often uses DllHost.exe as the parent, with the COM Object's CLSID in the command line. Rarely legit, it’s a red flag when paired with:
✅Unsigned binaries
✅System binaries used for proxy execution
✅Scripting interpreters like CMD or #PowerShell
An adversary likely leveraged a UAC Bypass Privilege Escalation technique, often used by #ransomware groups like Lockbit and BlackCat/ALPHV.
This method exploits a COM Object to create an elevated process, enabling malicious command or binary execution.
