From dcad562e5fee971a1595ad72556304a3881da4ab Mon Sep 17 00:00:00 2001 From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com> Date: Wed, 28 May 2025 16:15:30 +0300 Subject: [PATCH] Add XBootMgrSleep.yml (#381) * Add xbootmgrsleep.yml * Update XBootMgrSleep.yml * Update XBootMgrSleep.yml * Update XBootMgrSleep.yml * Update XBootMgrSleep.yml --------- Co-authored-by: Wietze --- yml/OtherMSBinaries/XBootMgrSleep.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 yml/OtherMSBinaries/XBootMgrSleep.yml diff --git a/yml/OtherMSBinaries/XBootMgrSleep.yml b/yml/OtherMSBinaries/XBootMgrSleep.yml new file mode 100644 index 0000000..7092de0 --- /dev/null +++ b/yml/OtherMSBinaries/XBootMgrSleep.yml @@ -0,0 +1,23 @@ +--- +Name: XBootMgrSleep.exe +Description: Windows Performance Toolkit binary used for tracing and analyzing system performance during sleep and resume transitions. +Author: Avihay Eldad +Created: 2024-06-13 +Commands: + - Command: xbootmgrsleep.exe 1000 "{CMD}" + Description: Execute a command with XBootMgrSleep as a parent process, with a 1 second (=1000 milliseconds) delay. + Usecase: Performs execution of specified command, can be used as a defense evasion + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows + Tags: + - Execute: CMD +Full_Path: + - Path: C:\Program Files\Windows Kits\10\Windows Performance Toolkit\xbootmgrsleep.exe + - Path: C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\xbootmgrsleep.exe +Resources: + - Link: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/xperf/reference +Acknowledgement: + - Person: Avihay Eldad + Handle: '@AvihayEldad'