From a4199124bcc2ef36d5c09f036ab17e4e53e5e9d6 Mon Sep 17 00:00:00 2001 From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com> Date: Thu, 10 Jul 2025 12:47:39 +0300 Subject: [PATCH] Update XBootMgrSleep.yml (#445) * Add xbootmgrsleep.yml * Update XBootMgrSleep.yml * Update XBootMgrSleep.yml * Update XBootMgrSleep.yml * Update XBootMgrSleep.yml * Update XBootMgrSleep.yml * Update XBootMgrSleep.yml * Update XBootMgrSleep.yml --------- Co-authored-by: Wietze --- yml/OtherMSBinaries/XBootMgrSleep.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/yml/OtherMSBinaries/XBootMgrSleep.yml b/yml/OtherMSBinaries/XBootMgrSleep.yml index 7092de0..672dc8c 100644 --- a/yml/OtherMSBinaries/XBootMgrSleep.yml +++ b/yml/OtherMSBinaries/XBootMgrSleep.yml @@ -4,15 +4,15 @@ Description: Windows Performance Toolkit binary used for tracing and analyzing s Author: Avihay Eldad Created: 2024-06-13 Commands: - - Command: xbootmgrsleep.exe 1000 "{CMD}" - Description: Execute a command with XBootMgrSleep as a parent process, with a 1 second (=1000 milliseconds) delay. - Usecase: Performs execution of specified command, can be used as a defense evasion + - Command: xbootmgrsleep.exe 1000 {PATH:.exe} + Description: Execute executable via XBootMgrSleep, with a 1 second (=1000 milliseconds) delay. Alternatively, it is also possible to replace the delay with any string for immediate execution. + Usecase: Performs execution of specified executable, can be used as a defense evasion Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows Tags: - - Execute: CMD + - Execute: EXE Full_Path: - Path: C:\Program Files\Windows Kits\10\Windows Performance Toolkit\xbootmgrsleep.exe - Path: C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\xbootmgrsleep.exe @@ -21,3 +21,5 @@ Resources: Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' + - Person: Yuval Saban + Handle: '@yuvalsaban3'