Which SIEM platforms have a T1653 detection rule?

df00tech provides T1653 (Power Settings) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Power Settings (T1653)?

Detecting Power Settings requires the following data sources: Microsoft Defender for Endpoint.

What severity and confidence is the T1653 detection?

The T1653 detection is rated medium severity with medium confidence.

What are common false positives for T1653?

Common false positives for T1653 include: IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled; Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers; Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates.

T1653: Power Settings — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let SuspiciousPowercfgArgs = dynamic(["/change", "-change", "/setacvalueindex", "-setacvalueindex", "/setdcvalueindex", "-setdcvalueindex", "/hibernate", "-hibernate", "/x", "-x"]);
let SleepTimeoutKeywords = dynamic(["standby-timeout", "hibernate-timeout", "monitor-timeout", "disk-timeout", "lock-timeout"]);
let PowerRegistryPaths = dynamic([
    "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Power",
    "HKCU\\Control Panel\\PowerCfg",
    "HKLM\\SOFTWARE\\Policies\\Microsoft\\Power",
    "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Power"
]);
// Branch 1: Suspicious powercfg.exe invocations disabling timeouts
let PowercfgAbuse = DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "powercfg.exe" or ProcessCommandLine has "powercfg"
| where ProcessCommandLine has_any (SuspiciousPowercfgArgs)
| extend TimeoutDisabled = ProcessCommandLine has_any (SleepTimeoutKeywords) and ProcessCommandLine has_any (" 0", " 0 ", "off", "never")
| extend HibernateDisabled = ProcessCommandLine has "hibernate" and ProcessCommandLine has_any ("off", " 0")
| where TimeoutDisabled or HibernateDisabled
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, FolderPath, SHA256
| extend DetectionType = "PowercfgTimeoutDisabled";
// Branch 2: Registry modifications to power policy keys
let PowerRegistryMod = DeviceRegistryEvents
| where Timestamp > ago(1d)
| where RegistryKey has_any (PowerRegistryPaths)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryValueName has_any ("ACSettingIndex", "DCSettingIndex", "Attributes", "CurrentPowerPolicy", "Hibernate", "StandbyTimeout", "HibernateTimeout", "MonitorTimeout")
| where isnotempty(RegistryValueData) and RegistryValueData in ("0", "00000000")
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionType = "PowerRegistryModification";
// Branch 3: Deletion of shutdown/reboot binaries (cross-platform consideration via Windows subsystem or admin tools)
let ShutdownBinaryDeletion = DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType == "FileDeleted"
| where FileName has_any ("shutdown.exe", "restart.exe") or FolderPath has_any ("\\Windows\\System32\\shutdown", "\\Windows\\SysWOW64\\shutdown")
| where InitiatingProcessFileName !in~ ("TrustedInstaller.exe", "msiexec.exe", "setup.exe", "wusa.exe")
| project Timestamp, DeviceName, AccountName, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionType = "ShutdownBinaryDeletion";
// Combine all branches
PowercfgAbuse
| union PowerRegistryMod
| union ShutdownBinaryDeletion
| project-reorder Timestamp, DeviceName, AccountName, DetectionType
| order by Timestamp desc

Three-branch detection covering: (1) powercfg.exe invocations that set sleep, standby, hibernate, monitor, or lock timeouts to zero or disable hibernate entirely; (2) direct registry modifications to Windows power policy keys writing zero values to timeout settings; and (3) deletion of Windows shutdown/reboot binaries by non-trusted installers. Alerts are emitted across all three branches and labeled with a DetectionType field for triage prioritization.

medium severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents DeviceFileEvents

False Positives

IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers
Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates
Automated build agents and CI/CD runner hosts that disable sleep to ensure long-running pipelines complete without interruption
Battery backup (UPS) management software modifying power settings as part of hibernation-on-power-loss configuration

Splunk

spl

index=* (
    (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
    OR
    (sourcetype="WinEventLog:Security" EventCode=4688)
    OR
    (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (12,13,14))
)
| eval proc_name=lower(coalesce(Image, NewProcessName, ProcessName))
| eval cmdline=lower(coalesce(CommandLine, ProcessCommandLine, ""))
| eval registry_path=lower(coalesce(TargetObject, ""))
| eval event_source=case(
    EventCode=1 OR EventCode=4688, "process",
    EventCode IN (12,13,14), "registry",
    true(), "unknown"
  )
| where (
    event_source="process" AND (
        (proc_name LIKE "%powercfg%" AND (
            (cmdline LIKE "%standby-timeout%" AND (cmdline LIKE "% 0%" OR cmdline LIKE "%off%"))
            OR (cmdline LIKE "%hibernate-timeout%" AND (cmdline LIKE "% 0%" OR cmdline LIKE "%off%"))
            OR (cmdline LIKE "%monitor-timeout%" AND (cmdline LIKE "% 0%" OR cmdline LIKE "%off%"))
            OR (cmdline LIKE "%disk-timeout%" AND cmdline LIKE "% 0%")
            OR (cmdline LIKE "%hibernate off%")
            OR (cmdline LIKE "%-h off%")
            OR (cmdline LIKE "%setacvalueindex%")
            OR (cmdline LIKE "%setdcvalueindex%")
        ))
        OR (proc_name LIKE "%systemctl%" AND (
            cmdline LIKE "%mask%sleep%"
            OR cmdline LIKE "%mask%hibernate%"
            OR cmdline LIKE "%mask%suspend%"
        ))
    )
  )
  OR (
    event_source="registry" AND (
        registry_path LIKE "%\\control\\power%"
        OR registry_path LIKE "%powercfg%"
        OR registry_path LIKE "%policies\\microsoft\\power%"
    ) AND EventCode=13
  )
| eval detection_type=case(
    event_source="process" AND proc_name LIKE "%powercfg%", "PowercfgAbuse",
    event_source="process" AND proc_name LIKE "%systemctl%", "SystemctlSleepMask",
    event_source="registry", "PowerRegistryModification",
    true(), "Unknown"
  )
| eval parent_proc=coalesce(ParentImage, ParentProcessName, "unknown")
| eval host=coalesce(ComputerName, host)
| eval user=coalesce(User, SubjectUserName, "unknown")
| table _time, host, user, detection_type, proc_name, cmdline, parent_proc, registry_path
| sort - _time

Multi-source SPL detection using Sysmon process creation (EventCode=1), Windows Security process creation (EventCode=4688), and Sysmon registry modification (EventCode=13) to identify powercfg.exe or systemctl invocations disabling power timeouts, and direct registry writes to Windows power policy keys. Results are labeled with a detection_type field for analyst triage.

medium severity medium confidence

Data Sources

Sysmon Windows Security Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Server infrastructure management tools that configure always-on power policies for production servers and rack-mounted hardware
Enterprise desktop management platforms (Tanium, BigFix) that apply standardized power configurations fleet-wide via scripted powercfg invocations
Presentation or digital signage software that sets monitor and sleep timeouts to zero to prevent displays from blanking during scheduled content
Automated patch management systems temporarily disabling hibernate during maintenance windows to prevent mid-patch reboots
Gaming optimization tools and game launchers that modify power settings to prevent system sleep during active gaming sessions

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1653*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

Elastic EQL detection for Power Settings (T1653). Identifies power settings activity by correlating endpoint telemetry patterns consistent with known adversary techniques.

medium severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers
Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

IBM QRadar AQL detection for Power Settings (T1653). Queries QRadar event pipeline for indicators consistent with power settings adversary techniques using MITRE ATT&CK-aligned event categorization.

medium severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers
Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

Sumo Logic detection for Power Settings (T1653). Identifies adversary power settings behaviors using Sumo Logic's search pipeline with field extraction and anomaly classification.

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers
Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates

Google Chronicle / SecOps

yaral

rule detection_t1653 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Power Settings - T1653"
    severity = "HIGH"
    mitre_attack = "T1653"
    reference = "https://attack.mitre.org/techniques/T1653/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

Google Chronicle YARA-L 2.0 rule for detecting Power Settings (T1653). Uses Chronicle UDM event model to identify power settings behaviors across endpoint and cloud telemetry.

medium severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers
Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

CrowdStrike LogScale CQL detection for Power Settings (T1653). Queries Falcon telemetry for power settings behavioral indicators aligned with MITRE ATT&CK T1653.

medium severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers
Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates

Power Settings

What is T1653 Power Settings?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1653

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Persistence

Popular Detections

What is T1653 Power Settings?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1653

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox