§ Trackr.Live
Latest writing

Notes from Trackr.Live

The landing site for Trackr Services

AU

ESXi Can Write Its Logs to a RAM Disk. Ransomware Counts on It

On an ESXi host without persistent scratch, /var/run/log lives on an in-memory ramdisk and evaporates at the next boot. Ransomware crews get the same effect for free — they power off, kill, or reboot the workloads before encrypting — which means your entire forensic timeline had to be forwarded off-box before the incident or it never existed at all.

·
AC

Strong Certificate Mapping Only Helps If the CA Owns the SID. ESC16 Takes It Away

Microsoft’s strong certificate mapping enforcement finally landed, and where it’s genuinely in force it does close the naive implicit-mapping hole that made ADCS escalation trivial — a certificate with only a weak name is denied. ESC16 strips the CA-issued SID so the mapping decision falls to whatever’s left: on a compatibility-mode DC that’s weak SAN mapping, and even on a fully-enforced DC it’s an attacker-supplied SID-in-SAN URI the KDC treats as strong. The audit events you’d hunt it with are off by default.

·