T1653 Power Settings Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousPowercfgArgs = dynamic(["/change", "-change", "/setacvalueindex", "-setacvalueindex", "/setdcvalueindex", "-setdcvalueindex", "/hibernate", "-hibernate", "/x", "-x"]);
let SleepTimeoutKeywords = dynamic(["standby-timeout", "hibernate-timeout", "monitor-timeout", "disk-timeout", "lock-timeout"]);
let PowerRegistryPaths = dynamic([
    "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Power",
    "HKCU\\Control Panel\\PowerCfg",
    "HKLM\\SOFTWARE\\Policies\\Microsoft\\Power",
    "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Power"
]);
// Branch 1: Suspicious powercfg.exe invocations disabling timeouts
let PowercfgAbuse = DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "powercfg.exe" or ProcessCommandLine has "powercfg"
| where ProcessCommandLine has_any (SuspiciousPowercfgArgs)
| extend TimeoutDisabled = ProcessCommandLine has_any (SleepTimeoutKeywords) and ProcessCommandLine has_any (" 0", " 0 ", "off", "never")
| extend HibernateDisabled = ProcessCommandLine has "hibernate" and ProcessCommandLine has_any ("off", " 0")
| where TimeoutDisabled or HibernateDisabled
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, FolderPath, SHA256
| extend DetectionType = "PowercfgTimeoutDisabled";
// Branch 2: Registry modifications to power policy keys
let PowerRegistryMod = DeviceRegistryEvents
| where Timestamp > ago(1d)
| where RegistryKey has_any (PowerRegistryPaths)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryValueName has_any ("ACSettingIndex", "DCSettingIndex", "Attributes", "CurrentPowerPolicy", "Hibernate", "StandbyTimeout", "HibernateTimeout", "MonitorTimeout")
| where isnotempty(RegistryValueData) and RegistryValueData in ("0", "00000000")
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionType = "PowerRegistryModification";
// Branch 3: Deletion of shutdown/reboot binaries (cross-platform consideration via Windows subsystem or admin tools)
let ShutdownBinaryDeletion = DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType == "FileDeleted"
| where FileName has_any ("shutdown.exe", "restart.exe") or FolderPath has_any ("\\Windows\\System32\\shutdown", "\\Windows\\SysWOW64\\shutdown")
| where InitiatingProcessFileName !in~ ("TrustedInstaller.exe", "msiexec.exe", "setup.exe", "wusa.exe")
| project Timestamp, DeviceName, AccountName, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionType = "ShutdownBinaryDeletion";
// Combine all branches
PowercfgAbuse
| union PowerRegistryMod
| union ShutdownBinaryDeletion
| project-reorder Timestamp, DeviceName, AccountName, DetectionType
| order by Timestamp desc

medium severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents DeviceFileEvents

False Positives

IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers
Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates
Automated build agents and CI/CD runner hosts that disable sleep to ensure long-running pipelines complete without interruption
Battery backup (UPS) management software modifying power settings as part of hibernation-on-power-loss configuration

Splunk

spl

index=* (
    (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
    OR
    (sourcetype="WinEventLog:Security" EventCode=4688)
    OR
    (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (12,13,14))
)
| eval proc_name=lower(coalesce(Image, NewProcessName, ProcessName))
| eval cmdline=lower(coalesce(CommandLine, ProcessCommandLine, ""))
| eval registry_path=lower(coalesce(TargetObject, ""))
| eval event_source=case(
    EventCode=1 OR EventCode=4688, "process",
    EventCode IN (12,13,14), "registry",
    true(), "unknown"
  )
| where (
    event_source="process" AND (
        (proc_name LIKE "%powercfg%" AND (
            (cmdline LIKE "%standby-timeout%" AND (cmdline LIKE "% 0%" OR cmdline LIKE "%off%"))
            OR (cmdline LIKE "%hibernate-timeout%" AND (cmdline LIKE "% 0%" OR cmdline LIKE "%off%"))
            OR (cmdline LIKE "%monitor-timeout%" AND (cmdline LIKE "% 0%" OR cmdline LIKE "%off%"))
            OR (cmdline LIKE "%disk-timeout%" AND cmdline LIKE "% 0%")
            OR (cmdline LIKE "%hibernate off%")
            OR (cmdline LIKE "%-h off%")
            OR (cmdline LIKE "%setacvalueindex%")
            OR (cmdline LIKE "%setdcvalueindex%")
        ))
        OR (proc_name LIKE "%systemctl%" AND (
            cmdline LIKE "%mask%sleep%"
            OR cmdline LIKE "%mask%hibernate%"
            OR cmdline LIKE "%mask%suspend%"
        ))
    )
  )
  OR (
    event_source="registry" AND (
        registry_path LIKE "%\\control\\power%"
        OR registry_path LIKE "%powercfg%"
        OR registry_path LIKE "%policies\\microsoft\\power%"
    ) AND EventCode=13
  )
| eval detection_type=case(
    event_source="process" AND proc_name LIKE "%powercfg%", "PowercfgAbuse",
    event_source="process" AND proc_name LIKE "%systemctl%", "SystemctlSleepMask",
    event_source="registry", "PowerRegistryModification",
    true(), "Unknown"
  )
| eval parent_proc=coalesce(ParentImage, ParentProcessName, "unknown")
| eval host=coalesce(ComputerName, host)
| eval user=coalesce(User, SubjectUserName, "unknown")
| table _time, host, user, detection_type, proc_name, cmdline, parent_proc, registry_path
| sort - _time

medium severity medium confidence

Data Sources

Sysmon Windows Security Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Server infrastructure management tools that configure always-on power policies for production servers and rack-mounted hardware
Enterprise desktop management platforms (Tanium, BigFix) that apply standardized power configurations fleet-wide via scripted powercfg invocations
Presentation or digital signage software that sets monitor and sleep timeouts to zero to prevent displays from blanking during scheduled content
Automated patch management systems temporarily disabling hibernate during maintenance windows to prevent mid-patch reboots
Gaming optimization tools and game launchers that modify power settings to prevent system sleep during active gaming sessions

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1653*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

medium severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers
Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

medium severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers
Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers
Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates

Google Chronicle / SecOps

yaral

rule detection_t1653 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Power Settings - T1653"
    severity = "HIGH"
    mitre_attack = "T1653"
    reference = "https://attack.mitre.org/techniques/T1653/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

medium severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers
Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

medium severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers
Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates

Power Settings

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Persistence

Popular Detections