§ Trackr.Live
Latest writing

Notes from Trackr.Live

The landing site for Trackr Services

CM

A Systemd Generator Executes Before Your Logging Is Up. Catch the Write, Not the Run

System-level systemd generators run as root at the earliest moment of boot, before auditd, before the EDR agent, before your normal journald/syslog/audit telemetry is reliably up. You will never see the execution. Here is how to build the detection that actually works — file writes and baseline reconciliation — and what breaks it the first week.

·
AU

ESXi Can Write Its Logs to a RAM Disk. Ransomware Counts on It

On an ESXi host without persistent scratch, /var/run/log lives on an in-memory ramdisk and evaporates at the next boot. Ransomware crews get the same effect for free — they power off, kill, or reboot the workloads before encrypting — which means your entire forensic timeline had to be forwarded off-box before the incident or it never existed at all.

·
AC

Strong Certificate Mapping Only Helps If the CA Owns the SID. ESC16 Takes It Away

Microsoft’s strong certificate mapping enforcement finally landed, and where it’s genuinely in force it does close the naive implicit-mapping hole that made ADCS escalation trivial — a certificate with only a weak name is denied. ESC16 strips the CA-issued SID so the mapping decision falls to whatever’s left: on a compatibility-mode DC that’s weak SAN mapping, and even on a fully-enforced DC it’s an attacker-supplied SID-in-SAN URI the KDC treats as strong. The audit events you’d hunt it with are off by default.

·