Detect Power Settings in Google Chronicle
This detection identifies adversaries abusing power management utilities and configuration settings to prevent infected systems from entering sleep, hibernate, or shutdown states, thereby extending their access window. On Windows, suspicious invocations of powercfg.exe with timeout-disabling flags, registry modifications to power scheme keys, and lock screen timeout changes are monitored. On Linux, masking of systemd sleep targets and modifications to /etc/systemd/logind.conf are targeted. The detection also covers deletion of system shutdown/reboot binaries, a behavior observed in Condi botnet campaigns, and unusual processes setting sleep inhibitors outside of known legitimate software contexts.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1653 Power Settings
- Canonical reference
- https://attack.mitre.org/techniques/T1653/
YARA-L Detection Query
rule detection_t1653 {
meta:
author = "Argus Detection Platform"
description = "Detects Power Settings - T1653"
severity = "HIGH"
mitre_attack = "T1653"
reference = "https://attack.mitre.org/techniques/T1653/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.hostname = $hostname
$e.target.process.file.full_path = $process_path
$e.target.process.command_line = $cmdline
(
re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
(
re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
re.regex($e.target.process.command_line, `(?i)-bypass`) or
re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
re.regex($e.target.process.command_line, `(?i)http://`)
)
)
not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)
condition:
$e
}Google Chronicle YARA-L 2.0 rule for detecting Power Settings (T1653). Uses Chronicle UDM event model to identify power settings behaviors across endpoint and cloud telemetry.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
- Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers
- Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates
Other platforms for T1653
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Disable Standby and Hibernate Timeouts via powercfg
Expected signal: Windows Event ID 4688 or Sysmon EventID 1 for powercfg.exe with the full command line visible. DeviceRegistryEvents entries for HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes showing ACSettingIndex and DCSettingIndex values set to 0.
- Test 2Disable Hibernate via powercfg hibernate off
Expected signal: Sysmon EventID 1 or Security EventID 4688 with ProcessCommandLine containing 'powercfg' and '/hibernate off' or '-h off'. DeviceFileEvents showing deletion of C:\hiberfil.sys (if hibernate was previously enabled).
- Test 3Mask systemd Sleep Targets on Linux
Expected signal: Syslog or auditd entries showing systemctl execution with 'mask' and target names. If auditd EXECVE rules are configured, full command line will be captured. journalctl will show systemd unit mask operations.
References (6)
- https://attack.mitre.org/techniques/T1653/
- https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options
- https://www.fortinet.com/blog/threat-research/coinloader-a-sophisticated-malware-loader-campaign
- https://www.rapid7.com/blog/post/2022/12/06/two-new-monero-malware-attacks-target-windows-and-android-users/
- https://www.trendmicro.com/en_us/research/22/k/batloader-the-evasive-downloader-malware.html
- https://www.freedesktop.org/software/systemd/man/systemd-sleep.conf.html
Unlock Pro Content
Get the full detection package for T1653 including response playbook, investigation guide, and atomic red team tests.