From 2dc48bba44080a7ff73a0e18ce521c4b22ff7dcd Mon Sep 17 00:00:00 2001 From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com> Date: Sun, 13 Jul 2025 10:19:50 +0300 Subject: [PATCH 1/2] Create Logger.yml --- yml/OtherMSBinaries/Logger.yml | 70 ++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 yml/OtherMSBinaries/Logger.yml diff --git a/yml/OtherMSBinaries/Logger.yml b/yml/OtherMSBinaries/Logger.yml new file mode 100644 index 000000000..75016bb94 --- /dev/null +++ b/yml/OtherMSBinaries/Logger.yml @@ -0,0 +1,70 @@ +--- +Name: Logger.exe +Description: A logging configuration tool from the Windows Kits used to start and manage process logging. +Author: Avihay Eldad +Created: 2025-07-13 +Commands: + - Command: logger.exe RUN "calc" + Description: Executes calc.exe using the RUN parameter. + Usecase: Executes an executable via a signed binary to evade detection. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows + Tags: + - Execute: EXE + - Command: logger.exe RUN "cmd /c calc" + Description: Executes a command using cmd.exe via the RUN parameter. + Usecase: Executes a command line interpreter via a signed binary to evade detection. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows + Tags: + - Execute: CMD + - Command: logger.exe RUNW "calc" + Description: Executes calc.exe using the RUNW parameter. + Usecase: Executes an executable via a signed binary to evade detection. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows + Tags: + - Execute: EXE + - Command: logger.exe RUNW "cmd /c calc" + Description: Executes a command using cmd.exe via the RUNW parameter. + Usecase: Executes a command line interpreter via a signed binary to evade detection. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows + Tags: + - Execute: CMD + - Command: logger.exe "calc" + Description: Executes calc.exe without any parameter. + Usecase: Executes an executable using undocumented implicit behavior. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows + Tags: + - Execute: EXE + - Command: logger.exe "cmd /c calc" + Description: Executes a command via cmd.exe without any parameter. + Usecase: Executes arbitrary commands using undocumented implicit behavior. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows + Tags: + - Execute: CMD +Full_Path: + - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\logger.exe + - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\logger.exe + - Path: C:\Program Files\Windows Kits\10\Debuggers\x86\logger.exe + - Path: C:\Program Files\Windows Kits\10\Debuggers\x64\logger.exe +Resources: + - Link: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/logger +Acknowledgement: + - Person: Avihay Eldad + Handle: '@AvihayEldad' From 480c4372353c671ac916964b72b5de6585e533cf Mon Sep 17 00:00:00 2001 From: Wietze Date: Mon, 16 Mar 2026 13:58:12 +0000 Subject: [PATCH 2/2] Update Logger.yml --- yml/OtherMSBinaries/Logger.yml | 45 +++++++--------------------------- 1 file changed, 9 insertions(+), 36 deletions(-) diff --git a/yml/OtherMSBinaries/Logger.yml b/yml/OtherMSBinaries/Logger.yml index 75016bb94..da652e7fa 100644 --- a/yml/OtherMSBinaries/Logger.yml +++ b/yml/OtherMSBinaries/Logger.yml @@ -4,54 +4,27 @@ Description: A logging configuration tool from the Windows Kits used to start an Author: Avihay Eldad Created: 2025-07-13 Commands: - - Command: logger.exe RUN "calc" - Description: Executes calc.exe using the RUN parameter. - Usecase: Executes an executable via a signed binary to evade detection. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows - Tags: - - Execute: EXE - - Command: logger.exe RUN "cmd /c calc" - Description: Executes a command using cmd.exe via the RUN parameter. - Usecase: Executes a command line interpreter via a signed binary to evade detection. + - Command: logger.exe RUN "{CMD}" + Description: Executes the command specified after the `RUN` parameter as a child of `logger.exe`. + Usecase: Executes an abitrary command via a signed binary to evade detection. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows Tags: - Execute: CMD - - Command: logger.exe RUNW "calc" - Description: Executes calc.exe using the RUNW parameter. - Usecase: Executes an executable via a signed binary to evade detection. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows - Tags: - - Execute: EXE - - Command: logger.exe RUNW "cmd /c calc" - Description: Executes a command using cmd.exe via the RUNW parameter. - Usecase: Executes a command line interpreter via a signed binary to evade detection. + - Command: logger.exe RUNW "{CMD}" + Description: Executes the command specified after the `RUNW` parameter as a child of `logger.exe`. + Usecase: Executes an abitrary command via a signed binary to evade detection. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows Tags: - Execute: CMD - - Command: logger.exe "calc" - Description: Executes calc.exe without any parameter. - Usecase: Executes an executable using undocumented implicit behavior. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows - Tags: - - Execute: EXE - - Command: logger.exe "cmd /c calc" - Description: Executes a command via cmd.exe without any parameter. - Usecase: Executes arbitrary commands using undocumented implicit behavior. + - Command: logger.exe "{CMD}" + Description: Executes the command specified as a child of `logger.exe`. + Usecase: Executes an abitrary command via a signed binary to evade detection. Category: Execute Privileges: User MitreID: T1202