Detect Power Settings in Elastic Security
This detection identifies adversaries abusing power management utilities and configuration settings to prevent infected systems from entering sleep, hibernate, or shutdown states, thereby extending their access window. On Windows, suspicious invocations of powercfg.exe with timeout-disabling flags, registry modifications to power scheme keys, and lock screen timeout changes are monitored. On Linux, masking of systemd sleep targets and modifications to /etc/systemd/logind.conf are targeted. The detection also covers deletion of system shutdown/reboot binaries, a behavior observed in Condi botnet campaigns, and unusual processes setting sleep inhibitors outside of known legitimate software contexts.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1653 Power Settings
- Canonical reference
- https://attack.mitre.org/techniques/T1653/
Elastic Detection Query
process where event.type == "start" and (
process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
process.command_line : ("*t1653*", "*suspicious*") or
process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == trueElastic EQL detection for Power Settings (T1653). Identifies power settings activity by correlating endpoint telemetry patterns consistent with known adversary techniques.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
- Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers
- Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates
Other platforms for T1653
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Disable Standby and Hibernate Timeouts via powercfg
Expected signal: Windows Event ID 4688 or Sysmon EventID 1 for powercfg.exe with the full command line visible. DeviceRegistryEvents entries for HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes showing ACSettingIndex and DCSettingIndex values set to 0.
- Test 2Disable Hibernate via powercfg hibernate off
Expected signal: Sysmon EventID 1 or Security EventID 4688 with ProcessCommandLine containing 'powercfg' and '/hibernate off' or '-h off'. DeviceFileEvents showing deletion of C:\hiberfil.sys (if hibernate was previously enabled).
- Test 3Mask systemd Sleep Targets on Linux
Expected signal: Syslog or auditd entries showing systemctl execution with 'mask' and target names. If auditd EXECVE rules are configured, full command line will be captured. journalctl will show systemd unit mask operations.
References (6)
- https://attack.mitre.org/techniques/T1653/
- https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options
- https://www.fortinet.com/blog/threat-research/coinloader-a-sophisticated-malware-loader-campaign
- https://www.rapid7.com/blog/post/2022/12/06/two-new-monero-malware-attacks-target-windows-and-android-users/
- https://www.trendmicro.com/en_us/research/22/k/batloader-the-evasive-downloader-malware.html
- https://www.freedesktop.org/software/systemd/man/systemd-sleep.conf.html
Unlock Pro Content
Get the full detection package for T1653 including response playbook, investigation guide, and atomic red team tests.