From 49b9544a792303aa5e51b0d6a1e367247faae254 Mon Sep 17 00:00:00 2001 From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com> Date: Thu, 13 Jun 2024 10:58:16 +0300 Subject: [PATCH 1/2] Add xbootmgrsleep.yml --- yml/OtherMSBinaries/XBootMgrSleep.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 yml/OtherMSBinaries/XBootMgrSleep.yml diff --git a/yml/OtherMSBinaries/XBootMgrSleep.yml b/yml/OtherMSBinaries/XBootMgrSleep.yml new file mode 100644 index 00000000..a6a9fa43 --- /dev/null +++ b/yml/OtherMSBinaries/XBootMgrSleep.yml @@ -0,0 +1,22 @@ +--- +Name: XBootMgrSleep.exe +Description: Windows Performance Toolkit binary used for tracing and analyzing system performance during sleep and resume transitions. +Author: Avihay Eldad +Created: 2024-06-13 +Commands: + - Command: xbootmgrsleep.exe calc + Description: Execute an executable file with XBootMgrSleep as a parent process. + Usecase: Performs execution of specified file, can be used as a defense evasion + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows +Full_Path: + - Path: C:\Program Files\Windows Kits\10\Windows Performance Toolkit\xbootmgrsleep.exe + - Path: C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\xbootmgrsleep.exe +Resources: + - Link: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/xperf/reference +Acknowledgement: + - Person: Avihay Eldad + Handle: '@AvihayEldad' + \ No newline at end of file From b116674996dff972e81a397d365dfc7724ca39ad Mon Sep 17 00:00:00 2001 From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com> Date: Thu, 13 Jun 2024 11:06:14 +0300 Subject: [PATCH 2/2] Update XBootMgrSleep.yml --- yml/OtherMSBinaries/XBootMgrSleep.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/yml/OtherMSBinaries/XBootMgrSleep.yml b/yml/OtherMSBinaries/XBootMgrSleep.yml index a6a9fa43..0a61900e 100644 --- a/yml/OtherMSBinaries/XBootMgrSleep.yml +++ b/yml/OtherMSBinaries/XBootMgrSleep.yml @@ -19,4 +19,3 @@ Resources: Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' - \ No newline at end of file