§ Trackr.Live
Latest writing

Notes from Trackr.Live

The landing site for Trackr Services

AC

A Phished OTP Can Buy the Attacker a Passkey in Your Tenant, and the Registration Audit Trail Is Your Most Direct Signal

O-UNC-066 appears built to walk a victim through a fake passkey enrollment while the operator registers an attacker-controlled passkey in the real Entra tenant. It survives the password reset, and the most direct durable evidence is the authentication-method registration audit trail — written from a session your controls let through because the registration action was protected only by relayable MFA.

·
Cyber Tools

EDR-Freeze Puts Your Sensor in a Coma With a Signed Windows Dumper. The Detection Is a Gap in Your Own Telemetry

EDR-Freeze abuses WerFaultSecure.exe — a Microsoft-signed WinTCB/PPL crash dumper — to suspend Defender and third-party EDR for as long as the operator holds it, with no kernel driver and almost no forensic residue. Here is what the detection actually looks like in Sysmon, why the filename-based Sigma rule everyone shipped first is a canary rather than a control, and which process-access relationship the real rule matches.

·
AC

The BadSuccessor Patch Killed the One-Sided Link. Mutual Pairing Still Leaks the Target’s Kerberos Keys

Microsoft’s August 2025 fix for BadSuccessor (CVE-2025-53779) works — but an attacker who controls a dMSA and can write a target’s migration-link attributes can forge the mutual pairing the KDC now demands and pull that account’s Kerberos key material out of the dMSA key package. The detection has to move from watching one attribute to watching the pairing on the target object.

·
Artificial Intelligence

Invisible Unicode Tags Smuggle Instructions Past Your LLM Filter. The Detection Is a Byte Pattern on the Raw Stream

A block of Unicode characters that renders as nothing can carry a full paragraph of instructions into your LLM, and your content filter can miss it because it inspects a sanitized or transformed representation while the model receives the original code points. Here is where the detection actually has to live, and what you spend the first week of tuning on.

·