www.huntress.com
Open in
urlscan Pro
2606:2c40::c73c:67e4
Public Scan
URL:
https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy
Submission: On September 18 via api from DE — Scanned from DE
Submission: On September 18 via api from DE — Scanned from DE
Form analysis 4 forms found in the DOM
/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true">
<div class="pwr--relative">
<input type="text" id="pwr-js-burger-search__input" class="pwr-burger-search__input hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Type search here">
<button class="pwr-search-field__icon" type="submit"><span id="hs_cos_wrapper_module_167327601750737_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_icon" style="" data-hs-cos-general-type="widget" data-hs-cos-type="icon"><svg
version="1.0" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" aria-hidden="true">
<g id="search2_layer">
<path
d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
</path>
</g>
</svg></span></button>
</div>
</form>/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true">
<input type="text" id="pwr-js-burger-search__input" class="" name="term" autocomplete="off" aria-label="Search" placeholder="Search">
</form>/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true">
<div class="pwr--relative">
<input type="text" id="pwr-header-search__input" class="pwr-header-search__input hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Type search here. Hit enter to submit or escape to close.">
<button class="pwr-search-field__icon" type="submit"><span id="hs_cos_wrapper_module_167327601750737_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_icon" style="" data-hs-cos-general-type="widget" data-hs-cos-type="icon"><svg
version="1.0" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" aria-hidden="true">
<g id="search3_layer">
<path
d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
</path>
</g>
</svg></span></button>
<a href="#" id="pwr-js-header-search__close" class="pwr-header-search__close">
<span class="pwr-header-search__close-icon"></span>
</a>
</div>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/3911692/196be66c-f1bb-4156-af05-2952954526cd
<form id="hsForm_196be66c-f1bb-4156-af05-2952954526cd_931" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/3911692/196be66c-f1bb-4156-af05-2952954526cd"
class="hs-form-private hsForm_196be66c-f1bb-4156-af05-2952954526cd hs-form-196be66c-f1bb-4156-af05-2952954526cd hs-form-196be66c-f1bb-4156-af05-2952954526cd_803c40cd-aa13-480f-a42e-60c1aa95f9b0 hs-form stacked hs-custom-form"
target="target_iframe_196be66c-f1bb-4156-af05-2952954526cd_931" data-instance-id="803c40cd-aa13-480f-a42e-60c1aa95f9b0" data-form-id="196be66c-f1bb-4156-af05-2952954526cd" data-portal-id="3911692" data-hs-cf-bound="true">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-196be66c-f1bb-4156-af05-2952954526cd_931" class="" placeholder="Enter your Work Email (required)"
for="email-196be66c-f1bb-4156-af05-2952954526cd_931"><span>Work Email (required)</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-196be66c-f1bb-4156-af05-2952954526cd_931" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Subscribe"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1695050233052","formDefinitionUpdatedAt":"1674667130846","lang":"en","embedType":"REGULAR","clonedFromForm":"6da6c019-9d2a-47d7-8966-09563d0875cf","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.88 Safari/537.36","pageTitle":"Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY","pageUrl":"https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy","pageId":"81792409861","isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy","contentType":"blog-post","hutk":"1b477f3c3fd464ce792c1652077d1aed","__hsfp":3298999280,"__hssc":"1139630.1.1695050235226","__hstc":"1139630.1b477f3c3fd464ce792c1652077d1aed.1695050235226.1695050235226.1695050235226.1","formTarget":"#hs_form_target_module_155266670085300_subscribe","formInstanceId":"931","pageName":"Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY","locale":"en","timestamp":1695050235238,"originalEmbedContext":{"portalId":"3911692","formId":"196be66c-f1bb-4156-af05-2952954526cd","region":"na1","target":"#hs_form_target_module_155266670085300_subscribe","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"931","formsBaseUrl":"/_hcms/forms","css":"","isMobileResponsive":true,"pageName":"Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY","pageId":"81792409861","contentType":"blog-post","formData":{"cssClass":"hs-form stacked hs-custom-form"},"isCMSModuleEmbed":true},"correlationId":"803c40cd-aa13-480f-a42e-60c1aa95f9b0","renderedFieldsIds":["email"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.3775","sourceName":"forms-embed","sourceVersion":"1.3775","sourceVersionMajor":"1","sourceVersionMinor":"3775","_debug_allPageIds":{"embedContextPageId":"81792409861","analyticsPageId":"81792409861","pageContextPageId":"81792409861"},"_debug_embedLogLines":[{"clientTimestamp":1695050233147,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"getExtraMetaDataBeforeSubmit\"]"},{"clientTimestamp":1695050233148,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY\",\"pageUrl\":\"https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.88 Safari/537.36\",\"pageId\":\"81792409861\",\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1695050233150,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1695050235232,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"1b477f3c3fd464ce792c1652077d1aed\",\"canonicalUrl\":\"https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy\",\"contentType\":\"blog-post\",\"pageId\":\"81792409861\"}"}]}"><iframe
name="target_iframe_196be66c-f1bb-4156-af05-2952954526cd_931" style="display: none;"></iframe>
</form>Text Content
This website stores cookies on your computer. These cookies are used to improve
your website and provide more personalized services to you, both on this website
and through other media. To find out more about the cookies we use, see our
Privacy Policy.
Accept Decline
Skip to content
Close
* Platform
* Platform Overview Cybersecurity for the 99%
* Managed EDR Stop Attacks with Process Insights
* SOC 24/7 Human Threat Hunting
* Persistent Footholds Find Attackers Hiding in Plain Sight
* Managed Antivirus Strengthen Frontline Protection
* MDR for Microsoft 365 Microsoft 365 Threat Detection
* Ransomware Canaries Detect Ransomware Faster
* External Recon Scan Ports & Potential Exposures
* Security Awareness Training Sharpen Your Employees' Defenses
* Partner Enablement Grow Your Cybersecurity Practice
See The Huntress Managed Security Platform in Action
Ask questions, explore the dashboard and more
Book a demo >
* Who We Serve
* Managed Service Providers Empowering MSPs to Secure End Customers
* Value Added Resellers A Complete ready-to-sell platform for VARs
* Businesses & IT Teams Empowering IT to Bridge the Cyber Gap
* Resources
* Cybersecurity Education Webinars, eBooks and More
* Upcoming Events Tradeshows and Live Industry Events
* Tradecraft Tuesday No Product. No Pitches. Just Tradecraft.
* Success Stories Case Studies & Testimonials
* Community Fireside Chat Check out the latest Fireside Chats
* Blog
* Company
* Leadership Team Meet the Team Taking the Fight to Hackers
* Press Media Coverage, Interviews & More
* Careers Join the Hunt - We're Hiring!
* Contact Us Talk to Sales, Get Help or Say Hello :)
* Partners
* Partner Login Access Your Huntress Dashboard
* Support Documentation Technical Product Support, FAQs & More
SEARCH
Free Trial
* Platform
* Platform Overview Cybersecurity for the 99%
* Managed EDR Stop Attacks with Process Insights
* SOC 24/7 Human Threat Hunting
* Persistent Footholds Find Attackers Hiding in Plain Sight
* Managed Antivirus Strengthen Frontline Protection
* MDR for Microsoft 365 Microsoft 365 Threat Detection
* Ransomware Canaries Detect Ransomware Faster
* External Recon Scan Ports & Potential Exposures
* Security Awareness Training Sharpen Your Employees' Defenses
* Partner Enablement Grow Your Cybersecurity Practice
See The Huntress Managed Security Platform in Action
Ask questions, explore the dashboard and more
Book a demo >
* Who We Serve
* Managed Service Providers Empowering MSPs to Secure End Customers
* Value Added Resellers A Complete ready-to-sell platform for VARs
* Businesses & IT Teams Empowering IT to Bridge the Cyber Gap
* Resources
* Cybersecurity Education Webinars, eBooks and More
* Upcoming Events Tradeshows and Live Industry Events
* Tradecraft Tuesday No Product. No Pitches. Just Tradecraft.
* Success Stories Case Studies & Testimonials
* Community Fireside Chat Check out the latest Fireside Chats
* Blog
* Company
* Leadership Team Meet the Team Taking the Fight to Hackers
* Press Media Coverage, Interviews & More
* Careers Join the Hunt - We're Hiring!
* Contact Us Talk to Sales, Get Help or Say Hello :)
* Partners
* Partner Login Access Your Huntress Dashboard
* Support Documentation Technical Product Support, FAQs & More
Free Trial
Dray Agha 08.16.2022 10 min read
CLEARTEXT SHENANIGANS: GIFTING USER PASSWORDS TO ADVERSARIES WITH NPPSPY
Previous Post
Next Post
Share on Twitter
Share on LinkedIn
Share on Facebook
Share on Reddit
While investigating an intrusion, Huntress stumbled on something rather
fascinating to do with adversarial credential gathering.
Threat actors are often retrospectively gathering credentials by dumping what’s
already on the system (like Mimikatz). Some tools, like Responder, let the
threat actor listen network-wide and pick up some hashes that are whizzing
around the Active Directory.
But it isn’t too common that we at Huntress see threat actors proactively
manipulate a system not just to gather credentials, but to gather cleartext
passwords*. Normally, we only see this proactive effort via UseLogonCredential
registry manipulation.
And yet, while investigating a recent intrusion, we found an unusual technique
to steal cleartext creds.
A threat actor had gained access to a complex network, dwelled in dark corners
of the environment, and then deployed Grzegorz Tworek's NPPSPY technique to ‘man
in the middle’ the user logon process, and squirrel away the user’s name and
password in an unassuming file.
It seems that the community has documented this NPPSPY technique in theory, but
so far it seems like no one has documented when they have encountered it
maliciously deployed in the wild.
In this article, let’s have a look at when the Huntress team encountered this
technique IRL.
WHAT DOES NPPSPY DO?
Before we go into the details of this tradecraft, I recorded a short video of
how this technique works. The TLDR here: it’s possible to man-in-the-middle the
login process and save a user’s password cleartext into a file on the file
system:
Click for sound
0:36
I am simplifying the technique because I am a simpleton from Grzegorz’s notes
[1, 2] and Microsoft documentation. Many have already written about this
technique and incorporated it into security frameworks, like Atomic Red’s suite
of tests, so I won’t dwell too much on the granularity of this explanation.
When you sit down to sign onto your machine and type in your password to
authenticate, a bunch of different things are done on the back end with your
credentials: hashing, checking, flying back and forth to a domain controller,
etc.
The conversation between Winlogon and Local Security Authority Subsystem Service
(LSASS) is most relevant for our instance. Winlogon is both the graphical user
interface that we use to put our credentials in, as well as the conversational
partner with LSASS for letting you sign in.
It’s more of a challenge to mess with LSASS to try and gather credentials, and
so the NPPSPY technique takes the path of least resistance by focusing on
Winlogon.
When you give your password to Winlogon, it opens up an (RPC) channel to a
mpnotify.exe and sends it over the password. Mpnotify then goes and tells some
DLLs what’s up with this credential.
NPPSPY comes alive here. Mpnotify is maliciously told about a new adversarial
network provider to consider. This network provider is attacker-controlled and
comes with a backdoored DLL the adversary has created. This slippery DLL simply
listens for this clear text credential exchange from winlogon down to mpnotify
and then saves this clear text credential exchange.
WHAT DID WE FIND IN THE WILD?
Let me take you back to the case.
During this intrusion, the Godparents of DFIR, Jamie Levy and Harlan Carvey,
used their forensic wizardry to point the team to find and give some attention
to a ‘C:\Windows\System32\lsass.dll’. They had identified that this had been
associated with a compromised account and advised us to go and determine what it
was.
Now, we’re all good noodles on the ThreatOps team, and if a Big Boss gives an
order, you bet we’ll go get it DONE. We got the DLL, dissected it, hypothesized
it was NPPSPY and then deployed it in our local lab to verify this theory.
After having tested locally, we then looked at the compromised system. Very
satisfyingly, we could account for the exact techniques the threat actor had
leveraged.
* The network provider in this instance was named logincontroll (typo
intentional)
* It occupied HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order and
created value logincontrol
* And then pointed logincontroll with the path C:\Windows\System32\lsass.dll at
registry HKLM\SYSTEM\CurrentControlSet\Services\logincontroll\NetworkProvider
Below are screenshots from the compromised system:
In our lab and then on the compromised host, we identified that
C:\Windows\Temp\tmpCQOF.tmp was the hardcoded file that the threat actor had
designated to listen and record the credentials as Username -> Password:
Now I can’t show you what was in that file on the compromised system—only what
was re-created in our testing environment. But trust me, seeing a tonne of
cleartext usernames and passwords was WILD.
OUTSTANDING ODDITIES
You know, something always interesting with investigations is that even when you
reach one conclusion, there is always one thread out of place, waiting for you
to pull, unravel and get further lost in the sauce.
We identified this tradecraft on a compromised Exchange server.
Remember C:\Windows\Temp\tmpCQOF.tmp, the file that kept a record of the
cleartext creds? Evidence suggested that email addresses and their corresponding
clear text passwords made it into the dump.
This was me upon that realization. Now, keeping in mind that I am a mere
mindless marmoset, I get easily confused. How did backdooring the local login
process end up rounding up the email addresses and passwords for users
authenticating to gather their emails, from this Exchange machine?
To try and wrap my head around what the evidence was showing, we sought counsel
with Huntress’ Researcher Tech Lead and Leader of the Council of the Wise, Dave
Kleinatland 🧙.
Dave agreed it was odd, but suggested
> Exchange-related authentications CAN be swept up in NPPSPY’s net for catching
> cleartext credentials in transit… If you're capturing creds on an Exchange
> box, you're doing well.
This suggests that for NPPSPY, there are under-documented benefits to targeting
specific servers in an Active Directory. We saw the evidence firsthand that
hitting an Exchange box also gathered the clear text creds for users just trying
to access their emails.
INVESTIGATING AND DEFENDING
A worry we had when putting this blog together is that by shining the spotlight
on an interesting, lesser deployed offensive security technique, Huntress would
be partially responsible for a spike in near future usage.
As such, we wanted to spend some time on how defenders can investigate and
detect this.
For my red team colleagues, some places advise how to deploy NPPSPY. The default
DLL that Grzegorz kindly provides will get flagged by Defender, but Grzegorz’s
kindness knows no bounds, and he provides the C code to compile it yourself.
CHECKING LIVE SYSTEMS
Grzegorz provides this script to look at the Network Providers and their
associated DLL file paths.
From a registry point of view, it’s a ‘service’, but it is not really a service
and thus cannot be detected as such. In the screenshot below, you can see NPPSPY
comparison to the other legitimate ones ‘logincontroll’ is relatively light on
signatures, version numbers, or descriptions. But it is considered trivial for
threat actors to add many of these, so don’t rely on the absence of these for
detection.
FORENSICS
Like a lot of things in infosec, Harlan seems to have already had all bases
covered, no matter how novel the technique.
By leveraging the services plugin for RegRipper v3.0, we will see the very
suspicious service name we have already identified with our threat actor’s
implementation of NPPSPY.
MONITORING AND DETECTING
The file name that records the cleartext credentials is hardcoded from the
source, and therefore we do not have detection opportunities here.
Although the NPPSPY docs advise dropping the DLL in C:\windows\System32, you
don’t have to. The example below demonstrates how an adversary can drop the
required DLL in any directory, like C:\windows\temp. Therefore, we do not have
detection opportunities here for any required directories.
This NPPSPY technique is noisy. And detecting this is possible with various
security monitoring tools that monitor the processes and commands being run on a
machine. You could use Sysmon as a free option. At Huntress, we have our Process
Insights listener that makes parent-child process lineage easy to follow.
There are several detection opportunities for NPPSPY, as adversaries have to
* Be a privileged user
* Create and manipulate a number of registry entries
* Bring a DLL on disk
* And then write clear text creds to a file somewhere
Elastic has a rule query for this kind of network provider manipulation. They
assign it a severity medium... personally, I’d assign this kind of activity to
be a super nuclear critical... but that’s just me.
IOCS AND BEHAVIOR
* OS Credential Dumping - ATT&CK T1003
* Values under HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
* For our case: logincontroll
* Unexplained entries in
HKLM\SYSTEM\CurrentControlSet\Services\<here>\NetworkProvider
* For our case: logincontroll
* Unexplained DLLS in folders (very difficult to detect)
* For our case: C:\windows\system32\lsass.dll
* Files being continually written too (essentially impossible to detect this
IMO)
* For our case: C:\Windows\Temp\tmpCQOF.tmp
REMEDIATING
To remediate and eradicate this wickedness, we tested furiously with our virtual
machine snapshots.
* Deleting only C:\windows\system32\<attacker.dll> stops the credential file
being written to
* Deleting only the key HKLM:\SYSTEM\CurrentControlSet\Services\<Attacker
provider name>\NetworkProvider stops the credential file being written to
Therefore deleting both the attacker-controlled DLL and the registry entry will
stop the cleartext credential gathering activity for sure.
Below is an extract of the report the partner received from us, which allowed
one-click automatic remediations to undo the ensnarement NPPSPY had placed the
machine under.
SO, THE BAD ACTORS WON?
Some may point the blame at security researchers in these instances. It’s easy
to assume that because they create techniques and share proofs of concept, that
they are the root of evil in the cybercriminal ecosystem.
This couldn’t be further from the truth. The problem is not offensive security
research. The problem is cybercriminals.
While this technique was cooked up by a security researcher, the threat actor
could have leveraged a whole plethora of other malicious techniques to achieve
their goals—this was just one of them, albeit a spicy one.
Offensive security research helps us defenders stay sharp, and motivate us to
constantly improve our tradecraft. Those attackers got in somehow, and there are
always lessons to learn about hardening defenses and imposing cost on dipsh*t
adversaries.
Techniques like NPPSPY have probably been deployed in the wild before. From what
we can tell, Huntress seems to be the first at sharing and documenting its IRL
usage by threat actors. Offensive tools do not remain elusive and mysterious for
long once the defensive community gives them some attention.
We hope this article is a small contribution that helps the community fight back
and conjure better defenses! And speaking of conjuring, digital forensics, Jamie
Levy and Harlan Carvey, you won't want to miss the September 2022 episode of
Tradecraft Tuesday.
• • •
ADDENDUM: CLEARTEXT VS. PLAINTEXT
*I consulted NIST docs to conclude what NPPSPY is. A rough overview is that
cleartext means un-encrypted text, whereas plaintext is the text involved in a
more complicated cryptographic exchange.
Of course, if a password is about to be input into a cryptographic
authentication like one does for a Windows login, wouldn’t that make it
plaintext? Potentially. But NPPSPY seemingly takes place before cryptography
really gets involved, and therefore it seems more appropriate to weigh in on the
side of cleartext.
If anyone has any strong feelings otherwise, please @ me on Twitter.
Share on Twitter
Share on LinkedIn
Share on Facebook
Share on Reddit
DRAY AGHA
Day Ruiner for Adversaries. Lifelong Learner. UK ThreatOps Manager at Huntress.
YOU MAY ALSO LIKE
Joe Slowik 09.14.2023 7 min read
SPIDERING THROUGH IDENTITY FOR PROFIT AND DISRUPTION
Dive into the recent Las Vegas casino cyberattacks linked to Scattered Spider,
and learn ...
Start Reading
Harlan Carvey 09.7.2023 6 min read
EVOLUTION OF USB-BORNE MALWARE, RASPBERRY ROBIN
A deep dive into the USB-borne Raspberry Robin malware and how Huntress Managed
EDR and ...
Start Reading
John Hammond 08.30.2023 6 min read
QAKBOT MALWARE TAKEDOWN AND DEFENDING FORWARD
With the FBI's takedown of Qakbot malware, we're sharing how the Huntress team
developed ...
Start Reading
Hackers are constantly evolving to better attack small and mid-size
businesses—Huntress is how SMBs and managed service providers stay ahead with
managed cybersecurity solutions for endpoints, email, and identity.
LinkedIn Twitter Facebook YouTube BizRatings
* Platform
* Platform Overview
* For MSPs
* For VARs
* Free Trial
* Resources
* Cybersecurity Education
* Blog
* Events
* Careers
Sign Up for Blog Updates
Work Email (required)*
© 2023 Huntress - All rights reserved
* Terms of Use
* Privacy Policy
* Legal
* Cookie Policy