Posts on cross-platform kernel-level diagnostics, behavioral security monitoring, AI-powered analysis, and operator-driven privilege elevation
ET Ducky's signed remote-desktop helper now crosses the Windows secure-desktop boundary, so technicians can see and click UAC prompts from the browser viewer without anyone at the target machine. A walkthrough of the Windows uiAccess chain and the dual-engine capture path that makes it work.
Four cross-platform behavioral rules cover shadow copy deletion, mass file rename to ransomware extensions, ransom note creation, and cryptominer execution, plus a meta-rule that fires when two or more kill-chain stages occur on the same process within five minutes.
The agent maintains an inventory channel covering installed software, running services, scheduled tasks, kernel modules, listening sockets, and persistence artifacts. It collects a snapshot at boot and every 24 hours on both Linux and Windows, with on-demand refresh from the dashboard.
What ETW is to Windows, eBPF is to Linux. The Linux agent compiles a small set of eBPF programs that attach to scheduler and syscall tracepoints, normalises events into the same shape the Windows agent uses, and feeds the rest of the pipeline unchanged. Same dashboard, same AI live sessions, same behavioral rules.
A walkthrough of the five cross-platform detection rules that ship with the agent: suspicious exec chains, mass file access, reverse-shell heuristics, non-interactive privilege escalation, and unusual outbound traffic from system daemons. Same rule definition fires on Windows and Linux.
RDP relay on Windows, Wayland portal or x11vnc on Linux, with H.264 over WebCodecs when the host has hardware encoding available. Bounded resource use on the host, no VPN required, no firewall rules.
The Linux agent installs as an unprivileged user. Privileged actions require an operator password at the moment of the action, captured in an immutable audit row with the operator's identity, source IP, command summary, and exit code.
A side-by-side pricing and feature comparison of ET Ducky, NinjaOne, ConnectWise RMM, Datto RMM, Atera, and Kaseya VSA, with an interactive cost calculator to estimate your monthly spend.
Threat actors signed up for our platform, deployed agents to victim machines, and used our remote shell as a C2 channel to install ScreenConnect RATs across 120+ endpoints. Here's how we caught them, what we built to prevent it, and what every RMM vendor should learn from this.
A practical guide to using Event Tracing for Windows (ETW) to diagnose performance problems, identify root causes, and resolve issues faster than traditional tools allow.
Traditional RMM tools rely on WMI polling and event logs. ETW provides real-time kernel-level telemetry that reveals root causes these tools can't detect.
How AI-powered analysis of ETW telemetry can turn thousands of kernel events into plain-language root cause explanations, replacing hours of manual investigation.