Random "LOLBIN" time. SensorLogonTask.exe that ships with the Microsoft Intune Management Extension can be potentially "abused" for a somewhat "LOLBIN" functionality (if you could call it that). Basically the binary by default run as part of a task called "SensorFramework-LogonTask-{GUID}" and measures how long it takes a Windows session to become "ready" after a user log on. It captures the top 10 processes that used the most CPU during that interval and writes that to the Application event log. Having info on processes can be classified as enumeration (even though you don't decide which ones are captured). The fun part i guess is the trigger. - You pass as an argument the provider name and that will be used when writing the event. - It checks the Microsoft-Windows-Winlogon EID 2 for the past 6 minutes to see if a logon occurred. I don't have a writeup for it yet. (maybe one day) but for now just sharing my .NET reversing shenanigans.

Learn more about Sensor.log, C:\Windows\SensorFramework, and MEM Endpoint Analytics with Joy @jbasuroy369 #MSIntune #MEMCM #MEMPowered #ConfigMgr anoopcnair.com/mem-endpoint-…

Join our live webinar on September 15 exploring key considerations to help you ensure the smooth release of your certified medical systems. Register now: bddy.me/3lnd3KS #IEC #IEC62304 #RTOS #embeddedsystem #sensorframework #medical #safetygraphics