§ Category
Category

Cyber Tools

CM

A Systemd Generator Executes Before Your Logging Is Up. Catch the Write, Not the Run

System-level systemd generators run as root at the earliest moment of boot, before auditd, before the EDR agent, before your normal journald/syslog/audit telemetry is reliably up. You will never see the execution. Here is how to build the detection that actually works — file writes and baseline reconciliation — and what breaks it the first week.

·
AC

Strong Certificate Mapping Only Helps If the CA Owns the SID. ESC16 Takes It Away

Microsoft’s strong certificate mapping enforcement finally landed, and where it’s genuinely in force it does close the naive implicit-mapping hole that made ADCS escalation trivial — a certificate with only a weak name is denied. ESC16 strips the CA-issued SID so the mapping decision falls to whatever’s left: on a compatibility-mode DC that’s weak SAN mapping, and even on a fully-enforced DC it’s an attacker-supplied SID-in-SAN URI the KDC treats as strong. The audit events you’d hunt it with are off by default.

·
AU

Bring Your Own Installer: When the EDR Bypass Ships Inside the EDR

Attackers don’t need a vulnerable driver to blind an EDR — they need the agent’s own installer and a window. The durable detection isn’t the kill command, it’s the silence that follows. Here is what that detection looks like the first time you deploy it, and why it floods the SOC before it works.

·