RunMRU is the tidiest endpoint signal for ClickFix, which is exactly why it’s the first thing attackers stopped touching. A look at what the registry detection catches, why it’s already half-blind, and the process-ancestry signal that actually survives.
Ubuntu 24.04 enabled AppArmor mediation of unprivileged user namespaces by default, then Qualys published three ways around it. Here’s what the control actually stops, the audit chain that proves it fired, and how to detect abuse without flooding the SOC.
Most teams write their first ClickFix detection against the Windows Run dialog’s RunMRU artifact. FileFix and the App-V proxy variant route around it the next day. Here is the detection that survives, and what the first week of tuning has to fix.
Bring-your-own-vulnerable-driver EDR killers are a standard stage in ransomware intrusions now, not an exotic capability. The driver blocklist is the weakest control you have against them. Here is what to instrument instead.
An MCP server you approved last week can mutate its tool descriptions tonight, and most clients won’t tell you. Here’s how the rug pull works, what to log, and what the detection actually looks like before the false positives bury it.
A clean netstat is not proof of safety: eBPF backdoors like LinkPro keep an internal listener, rewrite ports through XDP/TC, and can make bpftool lie about themselves. The durable signal is the bpf() syscall at load time, and on Cilium-heavy fleets, telling real loaders from noise is most of the work.
Bootc and rpm-ostree turn the root filesystem read-only and push state into a handful of writable paths. That quietly invalidates half your host integrity detections. Here is the new shape of the problem and what to instrument before the first ATO review notices.
CIFSwitch is a local-root flaw in the Linux kernel’s CIFS client that a researcher surfaced with AI-assisted analysis after it sat untouched since 2007. The kernel piece is real, but whether it touches you is a configuration question, not a kernel-version one.
Image-mode RHEL moves the host into an ostree-backed, container-built world. The threat model shifts up the stack, and most detection content built for traditional EL hosts quietly stops working.
Image-mode RHEL and bootc move /usr to a read-only ostree commit and turn host updates into container pulls. That fixes one class of problem and creates a different one for defenders. Here is what actually changes on disk, what to detect, and where the model breaks.
