Max Rogers
@maxrogers5.com
Sr. Director of SOC at Huntress. Ex-Mandiant/FireEye. Bringing security to the Fortune 5,000,000.
Until a patch is released, administrators should immediately apply the workaround detailed in our post:
October 10, 2025 at 2:22 AM
Until a patch is released, administrators should immediately apply the workaround detailed in our post:
2⃣ The initial access was creative. The actor exploited a misconfigured, public-facing phpMyAdmin panel. They then used a log poisoning technique to write a one-liner PHP web shell (China Chopper) to disk, bypassing authentication and gaining initial command execution.
October 10, 2025 at 1:53 AM
2⃣ The initial access was creative. The actor exploited a misconfigured, public-facing phpMyAdmin panel. They then used a log poisoning technique to write a one-liner PHP web shell (China Chopper) to disk, bypassing authentication and gaining initial command execution.
The gift that keeps on giving.
July 15, 2025 at 7:24 PM
The gift that keeps on giving.
As more companies deploy the Huntress SIEM, we've enjoyed finding the "Door Rattlers"🚪
We see an attacker failing to log in across a number of environments and then eventually succeeding in 1 organization.
Stopping attacks at initial access ❤️
We see an attacker failing to log in across a number of environments and then eventually succeeding in 1 organization.
Stopping attacks at initial access ❤️
May 22, 2025 at 12:49 AM
As more companies deploy the Huntress SIEM, we've enjoyed finding the "Door Rattlers"🚪
We see an attacker failing to log in across a number of environments and then eventually succeeding in 1 organization.
Stopping attacks at initial access ❤️
We see an attacker failing to log in across a number of environments and then eventually succeeding in 1 organization.
Stopping attacks at initial access ❤️
netscan.exe, psexec.exe, mstsc.exe, netsh.exe, reg.exe
March 3, 2025 at 9:10 PM
netscan.exe, psexec.exe, mstsc.exe, netsh.exe, reg.exe
Attackers love taking over M365 identities 😬 In the past ~60 days, Huntress has tracked phishing pages used to steal M365 sessions. Seeing `.com` isn't surprising but having `.online` in second place caught my eye 👀
Interested in Adversary in the Middle attacks? www.huntress.com/blog/unmaski...
Interested in Adversary in the Middle attacks? www.huntress.com/blog/unmaski...
February 25, 2025 at 1:43 PM
Attackers love taking over M365 identities 😬 In the past ~60 days, Huntress has tracked phishing pages used to steal M365 sessions. Seeing `.com` isn't surprising but having `.online` in second place caught my eye 👀
Interested in Adversary in the Middle attacks? www.huntress.com/blog/unmaski...
Interested in Adversary in the Middle attacks? www.huntress.com/blog/unmaski...
When the SOC sees an RDP login and the source IP is a datacenter.
February 15, 2025 at 12:07 AM
When the SOC sees an RDP login and the source IP is a datacenter.