§ Trackr.Live
Latest writing

Notes from Trackr.Live

The landing site for Trackr Services

CM

A Systemd Generator Executes Before Your Logging Is Up. Catch the Write, Not the Run

System-level systemd generators run as root at the earliest moment of boot, before auditd, before the EDR agent, before your normal journald/syslog/audit telemetry is reliably up. You will never see the execution. Here is how to build the detection that actually works — file writes and baseline reconciliation — and what breaks it the first week.

·
AU

ESXi Can Write Its Logs to a RAM Disk. Ransomware Counts on It

On an ESXi host without persistent scratch, /var/run/log lives on an in-memory ramdisk and evaporates at the next boot. Ransomware crews get the same effect for free — they power off, kill, or reboot the workloads before encrypting — which means your entire forensic timeline had to be forwarded off-box before the incident or it never existed at all.

·