AU – Trackr.Live

§ Category

Service Principal Credential Adds Are the Entra Persistence Move Conditional Access Won’t See

An attacker with app-management rights doesn’t need another password. They add their own secret to a trusted service principal and authenticate as the app, outside MFA and outside Conditional Access. Here is what the audit event looks like, what the first round of tuning has to fix, and where the cleanest preventive control hides behind a SKU you probably didn’t buy.

ESXi Forensics and the RAMdisk Logging Gap Nobody Configured Around

On ESXi the logs that explain how an intruder got root are written to a ramdisk that a reboot erases. Here is where the evidence actually lives, what to detect before it’s gone, and how it maps to the audit-storage controls the architecture violates by default.

Device Code Phishing Lives in the Log Table You Don’t Ingest

Device code phishing produces a clean, MFA-satisfied sign-in on Microsoft’s own infrastructure — and most of the telemetry that betrays it sits in the Entra non-interactive log table teams drop to save money. Here’s where the detection actually lives, how the threshold flips between a Windows shop and a dev-heavy tenant, and the persistence artifacts the closeout always skips.

Kerberoasting detection in 2026: the 4769 signals that hold up, AES downgrade tells, and clearing service-account account noin week one

Encryption-type detancy deton Kerberos TGS requests still catches lazy roasting, but as RC4 gets disabled the durable signal moves to behavior. What to grep for, why the AES downgrade tell degrades, and how to kill service-account false positives before they bury the SOC.

When netstat Lies: Detecting eBPF Magic-Packet Backdoors on Linux

A clean netstat is not proof of safety: eBPF backdoors like LinkPro keep an internal listener, rewrite ports through XDP/TC, and can make bpftool lie about themselves. The durable signal is the bpf() syscall at load time, and on Cilium-heavy fleets, telling real loaders from noise is most of the work.

Token theft DFIR in Entra ID after the device-bound credential rollout

Token Protection and DBSC closed some doors in 2026 but left the SOC with a messier detection surface than the vendor decks suggest. Here is what the incident actually looks like in the SIEM, where the first round of tuning has to land, and what most teams get wrong on revocation.

Token theft after AitM phishing in Entra ID: what the SignInLogs actually show in 2026

A defender-oriented walkthrough of investigating adversary-in-the-middle token theft against Entra ID now that token protection, CAE, and device-bound sessions are widely on — what the logs actually contain, what the first detection misses, and where the artifacts live outside Entra.

AU-12: Audit Record Generation

RMF Control AU-12: Audit Record Generation requires organizations to generate audit records for auditable events. Audit records are records of events that occur on information systems. They can be used to track user activity, detect suspicious activity, and investigate security incidents. Supplemental Guidance The Risk Management Framework (RMF) is a cybersecurity framework that provides a …

AU-7: Audit Record Reduction and Report Generation

RMF Control AU-7: Audit Record Reduction and Report Generation requires organizations to implement an audit record reduction and report generation capability that supports on-demand audit review, analysis, and reporting requirements, and after-the-fact investigations of security incidents. Supplemental Guidance The Risk Management Framework (RMF) is a cybersecurity framework that provides a process for managing cybersecurity risk …

AU-2: Event Logging

RMF Control AU-2: Event Logging requires organizations to implement a comprehensive event logging program to collect, analyze, and retain audit logs. Audit logs are records of events that occur on information systems. Event logging can help organizations to detect and respond to security incidents, investigate suspicious activity, and comply with regulations. Supplemental Guidance The Risk …